Splunk® Enterprise

Getting Data In

Download manual as PDF

Download topic as PDF

Create source types

You can create new source types in several ways:

  • Use the "Set Sourcetype" page in Splunk Web as part of adding the data.
  • Create a source type in the "Source types" management page, as described in Add source type.
  • Edit the props.conf configuration file directly.

Although you can configure individual forwarders to create source types by editing the .conf files that reside on the forwarder machine, a best practice for creating source types is to use Splunk Web, to guarantee that source types are created consistently across your Splunk deployment.

Set the source type in Splunk Web

The "Set Sourcetype" page in Splunk Web provides an easy way to view the effects of applying a source type to your data and to make adjustments to the source type settings as necessary. You can save your changes as a new source type, which you can then assign to data inputs.

The page lets you make the most common types of adjustments to timestamps and event breaks. For other modifications, it lets you edit the underlying props.conf file directly. As you change settings, you can immediately see the changes to the event data.

The page appears only when you specify or upload a single file. It does not appear when you specify any other type of source.

To learn more about the page, see The "Set Sourcetype" page in this manual.

Create a source type

You can use the "Source types" management page to create a new source type. See Add source type in this manual.

Edit props.conf

If you have Splunk Enterprise, you can create a new source type by editing props.conf and adding a new stanza. For detailed information on props.conf, read the props.conf specification in the Admin manual. For information on configuration files in general, see About configuration files in the Admin manual.

The following is an example of an entry in props.conf. This entry defines the access_combined source type and then assigns that source type to files that match the specified source. You can specify multiple files or directories in a source by using a regular expression.

[access_combined]
pulldown_type = true 
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
category = Web
description = National Center for Supercomputing Applications (NCSA) combined fo
rmat HTTP web server logs (can be generated by apache or other web servers)

[source::/opt/weblogs/apache.log]
sourcetype = iis

To edit props.conf:

  1. On the host where you want to create a source type, create $SPLUNK_HOME/etc/system/local/props.conf
    Note: You might need to create the local directory. If you use an app, go to the app directory in $SPLUNK_HOME/etc/apps.
  2. With a text editor, open the props.conf file in $SPLUNK_HOME/etc/system/local.
  3. Add a stanza for the new source type and specify any attributes that Splunk software should use when handling the source type.

    [my_sourcetype]
    attribute1 = value
    attribute2 = value
    


    Note: See the props.conf specification for a list of attributes and how they should be used.

  4. (Optional) If you know the name of the file (or files) to which the source type is to be applied, specify them in the [source::<source>] stanza:

    [my_sourcetype]
    attribute1 = value
    attribute2 = value
    <br>
    [source::.../my/logfile.log]
    sourcetype = my_sourcetype
    

  5. Save the props.conf file.
  6. Restart Splunk Enterprise. The new source types take effect after the restart completes.

Specify event breaks and time stamping

When you create a source type, there are some key attributes that you should specify:

There are also a number of additional settings that you can configure. See the props.conf specification for more information.

PREVIOUS
Override source types on a per-event basis
  NEXT
Manage source types

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0, 7.2.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters