Forums: SplunkGeneral: Mysterious IIS-2 sourcetype

Since upgrading to 4.0.9, Splunk seems to have decided that I need an IIS-2 sourcetype (created in /etc/apps/learned/local/props.conf as best I can tell).
Is there a way to get rid of this? I tried deleting the stanza from props.conf (and an apparently associated one in transforms.conf), but Splunk keeps re-creating it/them.
I already have an IIS sourcetype, so when Splunk decides to use IIS-2 instead, it messes up my searches/reports.

Thanks

I do have it in inputs.conf:

[monitor://\\iis_server\LogFiles\W3SVC1]
disabled = 0
host = iis_server
sourcetype = IIS

And it worked fine until 4.0.9.

I've got the same problem. Even specifying the sourcetype in inputs.conf doesn't have an effect. As it is I'm working on using the "rename = iis" key/value pair in my props.conf to manually rename the sourcetype, but it would sure be nice if this worked out of the box.

Seeing the same issue here. Any way to change the sourcetype of existing data?

Had similar experience. I initially set the sourcetype to automatic for my inputs. The data was then indexed and I ended up with sourcetype iis-2, iis-3.

So I then modified the inputs.conf file to manually set the sourcetype to iis. But my indexed data remained with iis-2 and iis-3.

According to the manual, changing sourcetype affects new data coming in after the config change, and not the indexed data.

So i then modified props.conf to rename the sourcetype for the already indexed data.

[iis-2]
rename = iis

Below is where I found it in the documentation:

Override automatic source type:
http://www.splunk.com/base/Documentation/latest/Admin/Bypassautomaticsourcetypeassignment

Renaming Source type:
http://www.splunk.com/base/Documentation/latest/Admin/Renamesourcetypes