Splunk® Add-on Builder

Splunk Add-on Builder User Guide

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Manage source types

Source types let you categorize your data for easier searching. A source type tells Splunk software what type of data you have, so that it can format the data intelligently during indexing.

Utilize source types when:

  • You've added data inputs in the Configure Data Collection section, but the modular inputs you created do not collect data quickly enough.
  • Your add-on relies on native core data inputs for data collection (for example, syslog files or the HTTP Event Collector) and you use the Add-on Builder for creating knowledge objects and performing data model mapping.
  • You have configured a data collection and you want to upload more sample data to create knowledge objects, such as field extractions, and to perform data model mapping.
  • You want to edit the existing source type, configure the timestamp or event line breaking.

For more information about source types, see Why source types matter in the Getting Data In manual.

You can add new source types in the Add-on Builder in two ways:

  • Create a new source type and also upload sample data from one or more files for this source type.
  • Import an existing source type from the Splunk platform.

Sample data counts against your license.

Add new source type

AOB2.2 managesourcetype.jpg

To create a source type and add sample data to it

  1. On your add-on homepage, click Manage Source Types on the Add-on Builder navigation bar.
  2. On the Manage Source Types page, click Add and then New Source Type.
  3. Enter a unique source type name.
  4. Click Upload Data, navigate to and select the sample data file, then click Open.

    5. The preview displays the first 1000 events from the first 2MB of data.

  5. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.
  6. Click Save.

    7. Sample events are stored in a dedicated "add_on_builder_index" index.


To import an existing source type

  1. On your add-on homepage, click Manage Source Types on the Add-on Builder navigation bar.
  2. On the Manage Source Types page, click Add and then Import From Splunk.
  3. Select a source type from the drop-down list.
  4. (Optional). Click Upload Data, navigate to and select the sample data file, then click Open.

    5. The preview displays the first 1000 events from the first 2MB of data.

  5. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.
  6. Click Save.

Edit existing source type of this add-on

To edit the existing source type and add sample data to it

  1. On your add-on homepage, click Manage Source Type on the Add-on Builder navigation bar.
  2. Click Edit on the source type you want to edit.
  3. (Optional). Click Upload Data, navigate to and select the sample data file, then click Open.

    4. The preview displays the first 1000 events from the first 2MB of data.

  4. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.

Learn more

For more information, see the following Splunk Enterprise documentation:

Last modified on 27 November, 2019
PREVIOUS
Add sample data 		  NEXT
Extract fields

This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters