Admin Manual

 


source-classifier.conf

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

source-classifier.conf

The following are the spec and example files for source-classifier.conf.

source-classifier.conf.spec

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.3 
#
# This file contains all possible options for configuring settings for the file classifier
# in source-classifier.conf.
#
# There is a source-classifier.conf in $SPLUNK_HOME/etc/system/default/ To set custom 
# configurations, place a source-classifier.conf in $SPLUNK_HOME/etc/system/local/. 
# For examples, see source-classifier.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles


ignored_model_keywords = <space-separated list of terms> 
  	* Terms to ignore when generating a sourcetype model.  
  	* To prevent sourcetype "bundles/learned/*-model.xml" files from containing sensitive
    terms (e.g. "bobslaptop") that occur very frequently in your data
    files, add those terms to ignored_model_keywords.

ignored_filename_keywords = <space-separated list of terms> 
  	* Terms to ignore when comparing a new sourcename against a known sourcename, for the purpose of 
  	classifying a source.


source-classifier.conf.example

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.3 
#
# This file contains an example source-classifier.conf.  Use this file to configure classification
# of sources into sourcetypes.
#
# To use one or more of these configurations, copy the configuration block into
# source-classifier.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to 
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

# terms to ignore when generating sourcetype model to prevent model from containing servernames, 
ignored_model_keywords = sun mon tue tues wed thurs fri sat sunday monday tuesday wednesday thursday friday saturday jan feb mar apr may jun jul aug sep oct nov dec january february march april may june july august september october november december 2003 2004 2005 2006 2007 2008 2009 am pm ut utc gmt cet cest cetdst met mest metdst mez mesz eet eest eetdst wet west wetdst msk msd ist jst kst hkt ast adt est edt cst cdt mst mdt pst pdt cast cadt east eadt wast wadt

# terms to ignore when comparing a sourcename against a known sourcename
ignored_filename_keywords = log logs com common event events little main message messages queue server splunk 

This documentation applies to the following versions of Splunk: 4.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!