Train Splunk to recognize a source type
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Train Splunk to recognize a source type
Use these instructions to train Splunk to recognize a new source type, or give it new samples to better recognize a pre-trained sourcetype. This enables Splunk to classify future files with similar patterns as a specific source type.
Bypass auto-classification in favor of hardcoded configurations, and just set a sourcetype for an input, or set a sourcetype for a source. Or set your own rules for source type association.
via the CLI
These commands assume you have set a Splunk environment variable. If you have not, navigate to $SPLUNK_HOME/bin and run the ./splunk command.
# splunk train sourcetype $FILE_NAME $SOURCETYPE_NAME
Fill in $FILE_NAME with the entire path to your file. $SOURCETYPE_NAME is the custom source type you wish to create.
It's usually a good idea to train on a few different samples for any new source type so that Splunk learns how varied a source type can be.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.