Override automatic source type assignment
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Override automatic source type assignment
You can override automatic source type assignment for event data that comes from specific inputs, or which has a particular source.
Note: While source type assignment by input seems like a simple way to handle things, it isn't very granular--when you use it Splunk gives all event data from an input the same source type, even if they actually have different sources and hosts. If you want to bypass automatic source type assignment in a more targeted manner, arrange for Splunk to assign source types according to the event data source.
Override automated source type matching for an input
Use these instructions to override automated source type assignation and explicitly assign a single source type value to data coming from a specific input such as /var/log/.
Note: This only affects new data coming in after the override is set up. To correct the source types of events that have already been indexed, create a tag for the source type instead.
Through Splunk Web
When you define a data input in Manager, you can set a sourcetype value that Splunk applies to all incoming data from that input. Manager gives you the option of picking a sourcetype value from a list or entering a unique sourcetype value of your own.
To select a sourcetype value for an input, open the Manager page, select Data inputs and then drill down to the details page of the input you want to define a sourcetype for.
Pick a sourcetype value from a list for an input
If the data from a particular input belongs to one of Splunk's pre-trained source types, you can choose the sourcetype value that Splunk would otherwise assign automatically from a drop down list. For a description of Splunk's pre-trained source types, see the reference list of pre-trained sourcetypes in the "Pretrained sourcetypes" topic, in this manual.
On the details page for the input that you're defining a source type for, select From list from Set source type, and then select a sourcetype value from Select source type from list.
Save your input settings. Splunk will assign the sourcetype that you've selected to all events that it indexes for that input after that point.
Manually enter a sourcetype value for an input
You can manually enter a sourcetype value for data that Splunk receives from a particular input.
On the details page for the input that you're defining a source type for, select Manual from the Set source type list, and then enter a source type in Source type.
Save your input settings. Splunk will assign the sourcetype that you've specified to all events that it indexes for that input after that point.
Through configuration files
When you configure inputs in inputs.conf, you can set a sourcetype as well. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
Note: This only impacts new data coming in after your configuration change. If you want to correct the source types of events that have already been indexed, create an tag for the source type instead.
Include a sourcetype = attribute within the appropriate stanza in inputs.conf:
[tcp://:9995] connection_host = dns sourcetype = log4j source = tcp:9995
The above example sets any events coming from your TCP input on port 9995 as sourcetype=log4j.
Override automatic source type matching for a source
Use these instructions to override automated source type assignation and explicitly assign a single source type value to data coming from a specific source.
For data coming from forwarder: If you're defining a source type based on source:: in props.conf you must set this on the forwarding side, it will not take effect if set on the receiving side.
Use these instructions to assign a source type based on a source through props.conf. Edit props.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
Note: This only impacts new data coming in after your configuration change. If you want to correct the source types of events that have already been indexed, create an tag for the source type instead.
Through configuration files
Add a stanza for your source in props.conf.
In the stanza, identify the source path, using regex syntax for flexibility if necessary. Then identify the source type by including a sourcetype = attribute:
[source::.../var/log/anaconda.log(.\d+)?] sourcetype = anaconda
This example sets any events from sources containing the string /var/log/anaconda.log followed by any number of numeric characters to sourcetype = anaconda.
Note: For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regexes by using them in searches with the rex search command. Splunk also maintains a list of useful third-party tools for writing and testing regular expressions.
Splunk recommends that your stanza source path regexes (such as [source::.../web/....log]) be as specific as possible. It is HIGHLY recommended that you not have the regex end in "...". For example, don't do this:
[source::/home/fflanda/...] sourcetype = mytype
This is dangerous. The above example tells Splunk to process gzip files in /home/fflanda as mytype files rather than gzip files.
It would be much better to write:
[source::/home/fflanda/....log(.\d+)?] sourcetype = mytype
Learn more about props.conf.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.