Getting Data In

 


Override automatic source type assignment

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Override automatic source type assignment

Splunk will attempt to assign a source type to your data automatically. It often does a good job of this, but you can also explicitly tell it what source type to assign. You can configure Splunk so that it assigns a source type based on either the data input or the data source.

For details on the precedence rules that Splunk uses to assign source types to data, read How Splunk assigns source types.

Note: Overrides only affect new data that arrives after the override is set up. To correct the source types of events that have already been indexed, create a tag for the source type instead.

This topic describes how to specify a source type based on the data's:

Specify source type for an input

You can explicitly assign the source type for data coming from a specific input, such as /var/log/. You do this in either Splunk Web or the inputs.conf configuration file.

Note: While assigning source type by input seems like a simple way to handle things, it isn't very granular--when you use it, Splunk assigns the same source type to all data from an input, even if some of the data comes from different sources or hosts. To bypass automatic source type assignment in a more targeted manner, you can arrange for Splunk to assign source types based on the data's source, as described later in this topic.

Use Splunk Web

When you define a data input in Manager, you can set a source type value that Splunk applies to all incoming data from that input. Manager gives you the option of picking a source type from a list or entering a unique source type value of your own.

To select a source type for an input, use Splunk Manager and drill down into the settings for the data input type you want to add. For example, for file inputs:

1. Click Manager in the upper right-hand corner of Splunk Web.

2. In the Data section of the Manager page, click Data Inputs.

3. Click Files & Directories.

4. Click the New button to add an input.

5. Check the More settings box.

6. Under the Source type heading, you'll see three dropdown choices for setting the source type:

  • Automatic. With this default setting, Splunk automatically selects a source type for the data.
  • From list. Splunk will present you with a list of common pretrained source types. See the next section for more information on this option.
  • Manual. If the source type you want isn't in the dropdown list but it still belongs to the set of Splunk's pretrained source types, you can enter its value manually. You can also manually enter your own source type. This option is described in greater detail below.

Pick a source type from a dropdown list

You can select a source type from a list of Splunk's most common pretrained source types:

1. Select From list from the Set the source type dropdown list.

2. Choose a source type from the Select source type from list dropdown list that now appears.

3. Save your input settings.

Splunk will now assign your selected source type to all events it indexes for that input.

Note: The dropdown list includes just the most common source types. For the complete list of available pretrained source types, see "List of pretrained sourcetypes".

Manually enter a source type

You can manually enter a source type for data that Splunk receives from a particular input:

1. Select Manual from the Set the source type dropdown list.

2. Enter a source type in the Source type field that now appears. This can be either one of Splunk's pretrained source types or a source type of your own.

3. Save your input settings.

Splunk will now assign your specified source type to all events it indexes for that input.

Use the inputs.conf configuration file

When you configure an input in inputs.conf, you can specify a source type for the input. Edit inputs.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For information on configuration files in general, see "About configuration files" in the Admin manual.

To specify a source type, include a sourcetype attribute within the stanza for the input. For example:

[tcp://:9995]
connection_host=dns
sourcetype=log4j
source=tcp:9995

This example sets the source type to "log4j" for any events coming from your TCP input on port 9995.

Warning: Do not put quotes around the attribute value: sourcetype=log4j, not sourcetype="log4j".

Specify source type for a source

Use props.conf to override automated source type matching and explicitly assign a single source type to all data coming from a specific source.

Edit props.conf in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For information on configuration files in general, see "About configuration files".

Important: If you are forwarding data, and you want to assign a source type for a source, you must do this in props.conf on the forwarder. If you do it in props.conf on the receiver, the override will not take effect.

To override source type assignment, add a stanza for your source to props.conf. In the stanza, identify the source path, using regex syntax for flexibility if necessary. Then specify the source type by including a sourcetype attribute. For example:

[source::.../var/log/anaconda.log(.\d+)?]
sourcetype=anaconda 

This example sets the source type to "anaconda" for events from any sources containing the string /var/log/anaconda.log followed by any number of numeric characters.

Important: Your stanza source path regexes (such as [source::.../web/....log]) should be as specific as possible. Avoid using a regex that ends in "...". For example, don't do this:

[source::/home/fflanda/...]
sourcetype=mytype

This is dangerous. It tells Splunk to process any gzip files in /home/fflanda as "mytype" files rather than gzip files.

It would be much better to write:

[source::/home/fflanda/....log(.\d+)?]
sourcetype=mytype

Note: For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regexes by using them in searches with the rex search command. Splunk also maintains a list of useful third-party tools for writing and testing regular expressions.

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!