How Splunk Works

How Splunk Works

Getting Started

Configuring a Splunk Deployment

Data Inputs

Hosts

Source Types

Timestamp Recognition

Events

Event Types

Meta Events

Fields

Segmentation

How segmentation works

Saved Searches and Alerts

Authentication

Data Distribution

Granular Access Control

How Granular Access Control works

Distributed Search

Deployment Server

Index Management

Bundles

SplunkBase

Performance Tuning

Routine Maintenance

Troubleshooting

Pre-trained source types

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Automatically recognized source types
Pre-trained source types

Pre-trained source types

Splunk ships pre-trained to recognize many different source types. A number of source types are automatically recognized, tagged and parsed appropriately. Splunk also contains a significant number of pre-trained source types that are not automatically recognized but can be assigned via SplunkWeb or inputs.conf.

It's a good idea to use a pre-trained source type if it matches your data, as Splunk contains optimized indexing properties for pre-trained source types. However, if your data does not fit with any pre-trained source types, you can Splunk can index virtually any format of data without custom properties.

Learn more about source types and how they work.

Automatically recognized source types

~ Source type name	~ Origin	~ Sample line
access_combined	NCSA combined format http web server logs (can be _

generated by apache or other web servers) || {{10.1.1.43 _

- webdev [08/Aug/2005:13:18:16 -0700] "GET / HTTP/1.0" 200 0442 _

"-" "check_http/1.10 (nagios-plugins 1.4)"}} ||

access_combined_wcookie	NCSA combined format http web server logs (can be generated by apache or other web servers), with cookie field added at end	`"66.249.66.102.1124471045570513" 59.92.110.121 - - [19/Aug/2005:10:04:07 -0700] "GET /themes/splunk_com/images/logo_splunk.png HTTP/1.1" 200 994 "http://www.splunk.org/index.php/docs" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4" "61.3.110.148.1124404439914689"`
access_common	NCSA common format http web server logs (can be generated by apache or other web servers)	`10.1.1.140 - - [16/May/2005:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HTTP/1.1" 404 304`
apache_error	Standard Apache web server error log	`[Sun Aug 7 12:17:35 2005] [error] [client 10.1.1.015] File does not exist: /home/reba/public_html/images/bullet_image.gif`
asterisk_cdr	Standard Asterisk IP PBX call detail record	{{"","5106435249","1234","default","""James Jesse""<5106435249>","SIP/5249-1ce3","","VoiceMail","u1234","2005-05-26 _

15:19:25","2005-05-26 15:19:25","2005-05-26 _

15:19:42",17,17,"ANSWERED","DOCUMENTATION"}} ||

asterisk_event Standard Asterisk event log (management events) Aug 24 14:08:05 asterisk[14287]: Manager 'randy' logged on from 127.0.0.1

asterisk_messages Standard Asterisk messages log (errors and warnings) Aug 24 14:48:27 WARNING[14287]: Channel 'Zap/1-1' sent into invalid extension 's' in context 'default', but no invalid handler

asterisk_queue Standard Asterisk queue log NONE|NONE|NONE|CONFIGRELOAD|

cisco_syslog

Standard Cisco syslog produced by all Cisco network devices including PIX firewalls, routers, ACS, etc., usually via remote syslog to a central log host

Template:Sep 14 10:51:11 stage-test.splunk.com

db2_diag

Standard IBM DB2 database administrative and error log

Template:2005-07-01-14.08.15.304000-420

exim_main Exim MTA mainlog 2005-08-19 09:02:43 1E69KN-0001u6-8E => support-notifications@splunk.com R=send_to_relay T=remote_smtp H=mail.int.splunk.com [10.2.1.10]

exim_reject

Exim reject log

Template:2005-08-08 12:24:57 SMTP protocol violation: synchronization error (input sent without

linux_messages_syslog	Standard linux syslog (/var/log/messages on most platforms)	`Aug 19 10:04:28 db1 sshd(pam_unix)[15979]: session opened for user root by (uid=0)`
linux_secure	Linux securelog	`Aug 18 16:19:27 db1 sshd[29330]: Accepted publickey for root from ::ffff:10.2.1.5 port 40892 ssh2`
log4j	Log4j standard output produced by any J2EE server using log4j	`2005-03-07 16:44:03,110 53223013 [PoolThread-0] INFO [STDOUT] got some property...`
mysqld_error	Standard mysql error log	`050818 16:19:29 InnoDB: Started; log sequence number 0 43644 /usr/libexec/mysqld: ready for connections. Version: '4.1.10a-log' socket: '/var/lib/mysql/mysql.sock' port: 3306 Source distribution`
mysqld	Standard mysql query log; also matches mysql’s binary log following conversion to text	{{ _

53 Query SELECT xar_dd_itemid, xar_dd_propid, xar_dd_value _

        FROM xar_dynamic_data         _

       WHERE xar_dd_propid IN (27)  AND xar_dd_itemid = 2}}||

postfix_syslog	Standard Postfix MTA log reported via the Unix/Linux syslog facility	`Mar 1 00:01:43 avas postfix/smtpd[1822]: 0141A61A83: client=host76-117.pool80180.interbusiness.it[80.180.117.76]`
sendmail_syslog	Standard Sendmail MTA log reported via the Unix/Linux syslog facility	`Aug 6 04:03:32 nmrjl00 sendmail[5200]: q64F01Vr001110: to=root, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00, mailer=relay, min=00026, relay=[101.0.0.1] [101.0.0.1], dsn=2.0.0, stat=Sent (v00F3HmX004301 Message accepted for delivery)`
sugarcrm_log4php	Standard Sugarcrm activity log reported using the log4php utility	`Fri Aug 5 12:39:55 2005,244 [28666] FATAL layout_utils - Unable to load the application list language file for the selected language(en_us) or the default language(en_us)`
weblogic_stdout	Weblogic server log in the standard native BEA format	{{####<Sep 26, 2005 7:27:24 PM MDT> <Warning> <WebLogicServer> <bea03> <asiAdminServer> <ListenThread.Default> <<WLS Kernel>> <> <BEA-000372> <HostName: 0.0.0.0, maps to _

multiple IP addresses:169.254.25.129,169.254.193.219> }}||

websphere_activity

Websphere activity log, also often referred to as the service log

Template:---------------------------------------------------------------

websphere_core

Corefile export from Websphere

Template:NULL

websphere_trlog_syserr

Standard Websphere system error log in IBM's native tr log format

{{[7/1/05 13:41:00:516 PDT] 000003ae SystemErr R at com.ibm.ws.http.channel. inbound.impl.HttpICLReadCallback.complete _

(HttpICLReadCallback.java(Compiled Code)) _

(truncated)}}||

websphere_trlog_sysout

Standard Websphere system out log in IBM's native trlog format; similar to the log4j server log for Resin and Jboss, sampe format as the system error log but containing lower severity and informational events

{{[7/1/05 _

13:44:28:172 PDT] 0000082d SystemOut O Fri Jul 01 13:44:28 PDT 2005 _

TradeStreamerMDB: _

100 Trade stock prices updated: _

Current _

Statistics _

      Total _

update Quote Price message count = 4400 _

      Time _

to receive stock update alerts messages (in seconds): _

             min: -0.013 _

             max: 527.347 _

             avg: 1.0365270454545454 _

      The current price update is:       Update _

Stock price for s:393 old price = 15.47 new price = 21.50}}||

windows_snare_syslog

Standard windows event log reported through a 3rd party Intersect Alliance Snare agent to remote syslog on a Unix or Linuxserver

Template:0050818050818 Sep 14