Set source type for an input
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Set source type for an input
Use these instructions to explicitly set a source type for all data coming in via an input.
If you have a directory input (such as monitoring /var/log/), this method assigns the same source type for every file in the directory. To assign different source types for each discrete source in the same input directory, set source type for a source instead.
Note: This configuration only impacts new data coming in. To correct the source type displayed in Splunk Web for data that has already been indexed, create an alias instead.
via Splunk Web
When you configure your data inputs through Splunk Web, you can hardcode a sourcetype.
Pick from a list of sourcetypes
If your source is one of Splunk's pre-trained source types, it's a good idea to pick the same name Splunk would try to assign automatically. For a description of Splunk's pre-trained source types, see the sourcetype reference page.
Choose From list from the set source type drop down.
Use a new source type name
Select Manual from the drop down menu at the bottom of the data input screen.
Input your source type name in the Source Type box.
Your events now have that sourcetype= value.
via configuration files
When you configure inputs via inputs.conf, you can set a sourcetype as well. Include a sourcetype = attribute within the appropriate stanza in $SPLUNK_HOME/etc/system/local/inputs.conf:
[tcp://:9995] connection_host = dns sourcetype = log4j source = tcp:9995
This sets any events coming from your TCP input on port 9995 as sourcetype=log4j.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.