The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: no data indexed with splunk 2.0 | Next Topic: unattended installer in 2.0.4 ignores command-line parameters
Posts 1–3 of 3
Was the auto tagging feature scrapped in 2.0? I've noticed that on my FIFO input at least that it's not doing the auto tagging of events that it used to do in 1.2.x. I could probably dig through the typers and figure this out, but I was curious what the official word was.
Thanks,
Joe
Hey Joe,
It's now configurable and defaults to no. Take a look at the default section in $SPLUNK_HOME/etc/known-props, there's this line:
<attribute name="AUTO_TAG">False</attribute>
Change to True and you should be set (after a restart).
Thanks,
Ariel
Just to be sure this doesn't get changed at the next upgrade, add this instead to the overlay-props.xml :
<properties name="your source type here">
<attribute name="AUTO_TAG">True</attribute>
</properties>
Overlay files are new in 2.0 which allows users to overide entries in known-props and known-types. For more information on this, check out: