Documentation > Splunk > Getting Data In > Data preview and source types

Getting Data In

 


How to get data into Splunk
Get data from files and directories
Get network events
Get Windows data
Other ways to get stuff in
Recipes
Configure event processing
Configure timestamps
Configure indexed field extraction
Configure host values
Configure source types
Manage event segmentation
Preview your data
Improve the data input process

Data preview and source types

Data preview and source types

Essentially, the purpose of data preview is to help you apply the right source type to your incoming data. The source type is one of the default fields that Splunk assigns to all incoming data. The source type determines how Splunk formats your data during indexing. By assigning the correct source type to your data, the indexed version of the data (the event data) will look the way you want it to, with proper timestamps and event breaks.

Splunk comes with a large number of predefined source types. When consuming data, in most cases, Splunk will automatically assign the correct source type to your data and process the data appropriately. If your data is specialized, you might need to manually select a different predefined source type to the data. In other cases, you might need to create a new source type with customized event processing settings.

Data preview can help ensure that you assign the right source type to your data. It shows you the results of applying any predefined source type to the data. It also allows you to modify the settings for a source type interactively, until you achieve the desired results. At that point, you can save the modifications as a new source type.

Data preview lets you:

  • See what your data will look like without any changes, using a default source type that Splunk automatically assigns.
  • Apply a different source type to see whether that offers better results.
  • Modify settings for timestamps and event breaks to improve the quality of the indexed data and save the modifications as a new source type.
  • Create a new source type from scratch.

Data preview saves any new source types to a props.conf file, which you can later distribute across the indexers in your deployment, so that the source types are available globally. See "Data preview and distributed Splunk" for details.

For detailed information on source types, see "Why source types matter" in this manual. In addition, several topics in the "Configure event processing", "Configure timestamps", and "Configure source types" chapters provide advanced information on source type processing.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Datapreviewandsourcetypes"

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!