Hello,
For some reason, when setting-up some heavy forwarders to accept syslog data on UDP 514, a colleague of mine ran the following command:
Splunk add UDP 514 -sourcetype udp:514.
This added the following stanza to %splunkhome%/etc/apps/search/local/inputs.conf:
[udp://514]
connection_host = ip
sourcetype = udp:514
This is forcing sourcetype name "udp:514" on all the data that come in on that port.
My question is, if I just remove the "sourcetype = udp:514", will all future data be assigned the correct automatic sourcetypes?
Thanks,
JG
↧