Create source types
You can create a new source type by editing
props.conf and adding a new stanza. For detailed information on
props.conf, read the props.conf specification in the Admin manual.
props.conf file in
$SPLUNK_HOME/etc/system/local/ or in your own custom application directory in
$SPLUNK_HOME/etc/apps/. For information on configuration files in general, see "About configuration files" in the Admin manual.
When you create a source type, you tell Splunk how to process the data to create searchable events. In particular, there are two key things that you need to specify:
- Event breaks. To learn how to use
props.confto specify event breaks, see "Configure event linebreaking".
- Timestamps. To learn how to use
props.confto specify timestamps, see "Configure timestamp recognition", as well as other topics in the "Configure timestamps" chapter of this manual.
There are also a number of miscellaneous settings you can configure. See the props.conf specification for more information.
Override source types on a per-event basis
Rename source types