Documentation > Splunk > Admin Manual > sourcetypes.conf

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

sourcetypes.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

sourcetypes.conf

sourcetypes.conf.spec 

# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.2
#
# NOTE: sourcetypes.conf is a machine-generated file that stores the document models used by the 
# file classifier for creating source types.
# Generally, you should not edit sourcetypes.conf, as most attributes are machine generated.
# However, there are two attributes which you can change.
#
# There is a sourcetypes.conf in $SPLUNK_HOME/etc/system/default/ To set custom 
# configurations, place a sourcetypes..conf in $SPLUNK_HOME/etc/system/local/. 
# For examples, see sourcetypes.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
_sourcetype = <value>
        * Specifies the sourcetype for the model.
        * Change this to change the model's sourcetype.
        * Future sources that match the model will receive a sourcetype of this new name.
_source = <value>
        * Specifies the source (filename) for the model.


sourcetypes.conf.example 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains an example sourcetypes.conf.  Use this file to configure sourcetype models.
#
# NOTE: sourcetypes.conf is a machine-generated file that stores the document models used by the 
# file classifier for creating source types.
#
# Generally, you should not edit sourcetypes.conf, as most attributes are machine generated.
# However, there are two attributes which you can change.
#
# To use one or more of these configurations, copy the configuration block into
# sourcetypes.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
#
# This is an example of a machine-generated sourcetype models for a fictitious sourcetype cadcamlog.
#
[/Users/bob/logs/bnf.x5_Thu_Dec_13_15:59:06_2007_171714722]
_source = /Users/bob/logs/bnf.x5
_sourcetype = cadcamlog
L----------- = 0.096899
L-t<_EQ> = 0.016473
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.3.2/Admin/Sourcetypesconf"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!