Source types for add-ons
All Splunk supported add-ons have one or more predefined source types to identify the type of data the add-on collects from the third-party system. Many source types support data models in the Common Information Model.
Source type naming conventions
Source type names use the following format:
The shortest source type name is used to distinguish it from other source types. For example, if the vendor provides only a single format, then
:format is not included in the source type name. If the vendor's product does not provide different log formats or sources for different technologies, then
:technology is not included in the source type name. For example, the Splunk Add-on for OSSEC has a single source type called
ossec. This source type name uses only one of the naming components because the add-on collects only one kind of data from the vendor, OSSEC.
Search using add-on source types
The source type naming format enables you to use wildcards at the end of a search term when you run a search to achieve the desired level of abstraction in the search results.
For example, you can run the following search to retrieve all Cisco logs.
Run the following search to retrieve all Cisco ESA logs.
Run the following search to retrieve only the Cisco ESA textmail format logs.
Setting source type for inputs
Some Splunk add-ons have preconfigured inputs set to the appropriate source type for the third-party technology. During index time, the add-on separates the data into specific source types if there is more than one source type included with the add-on.
For add-ons that require you to create inputs to retrieve data from the third-party system, you must set the source type to a specific source type for the add-on technology as referenced in the documentation for the add-on. This source type tells the Splunk platform how to format the events during indexing. The CIM mappings and any dashboard panels provided with the add-on are also dependent on this source type. If the data inputs are not set to the correct source type, the CIM mappings and dashboard panels included with the add-on will not work.
For more information about source types, see Why source types matter in the Splunk Enterprise Getting Data In manual.
Add-ons and CIM
Add-ons and indexes
This documentation applies to the following versions of Splunk® Supported Add-ons: released