Splunk® Add-on Builder

Splunk Add-on Builder User Guide

Download manual as PDF

Download topic as PDF

Manage source types

After you've added data inputs in the Configure Data Collection section, the modular inputs you created might not collect data quickly enough. To manage source types is useful when:

  • Your add-on relies on native core data inputs for data collection (for example, syslog files or the HTTP Event Collector) and you use the Add-on Builder for creating knowledge objects and performing data model mapping.
  • You have configured a data collection and you want to upload more sample data to create knowledge objects, such as field extractions, and to perform data model mapping.
  • You want to edit the existing source type, configure the timestamp or event line breaking.


You can add new source types in two ways:

  • Create a new source type and also upload sample data from one or more files for this source type.
  • Import an existing source type from the Splunk platform.

Sample data counts against your license.

Add new source type

AOB2.2 managesourcetype.jpg

To create a source type and add sample data to it

  1. On your add-on homepage, click Manage Source Types on the Add-on Builder navigation bar.
  2. On the Manage Source Types page, click Add and then New Source Type.
  3. Enter a unique source type name.
  4. Click Upload Data, navigate to and select the sample data file, then click Open.
  5. The preview displays the first 1000 events from the first 2MB of data.

  6. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.
  7. Click Save.
  8. Sample events are stored in a dedicated "add_on_builder_index" index.


To import an existing source type

  1. On your add-on homepage, click Manage Source Types on the Add-on Builder navigation bar.
  2. On the Manage Source Types page, click Add and then Import From Splunk.
  3. Select a source type from the drop-down list.
  4. (Optional). Click Upload Data, navigate to and select the sample data file, then click Open.
  5. The preview displays the first 1000 events from the first 2MB of data.

  6. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.
  7. Click Save.

Edit existing source type of this add-on

To edit the existing source type and add sample data to it

  1. On your add-on homepage, click Manage Source Type on the Add-on Builder navigation bar.
  2. Click Edit on the source type you want to edit.
  3. (Optional). Click Upload Data, navigate to and select the sample data file, then click Open.
  4. The preview displays the first 1000 events from the first 2MB of data.

  5. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.

Learn more

For more information, see the following Splunk Enterprise documentation:

PREVIOUS
Create a setup page
  NEXT
Extract fields

This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters