Create source types
You can create new source types in several ways:
- Use the "Set Sourcetype" page in Splunk Web as part of adding the data.
- Create a source type in the "Source types" management page, as described in Add source type.
- Edit the
props.confconfiguration file directly.
Although you can configure individual forwarders to create source types by editing the .conf files that reside on the forwarder machine, a best practice for creating source types is to use Splunk Web, to guarantee that source types are created consistently across your Splunk deployment.
Set the source type in Splunk Web
The "Set Sourcetype" page in Splunk Web provides an easy way to view the effects of applying a source type to your data and to make adjustments to the source type settings as necessary. You can save your changes as a new source type, which you can then assign to data inputs.
The page lets you make the most common types of adjustments to timestamps and event breaks. For other modifications, it lets you edit the underlying
props.conf file directly. As you change settings, you can immediately see the changes to the event data.
The page appears only when you specify or upload a single file. It does not appear when you specify any other type of source.
To learn more about the page, see The "Set Sourcetype" page in this manual.
Create a source type
You can use the "Source types" management page to create a new source type. See Add source type in this manual.
If you have Splunk Enterprise, you can create a new source type by editing
props.conf and adding a new stanza. For detailed information on
props.conf, read the props.conf specification in the Admin manual. For information on configuration files in general, see About configuration files in the Admin manual.
The following is an example of an entry in props.conf. This entry defines the
access_combined source type and then assigns that source type to files that match the specified source. You can specify multiple files or directories in a source by using a regular expression.
[access_combined] pulldown_type = true maxDist = 28 MAX_TIMESTAMP_LOOKAHEAD = 128 REPORT-access = access-extractions SHOULD_LINEMERGE = False TIME_PREFIX = \[ category = Web description = National Center for Supercomputing Applications (NCSA) combined fo rmat HTTP web server logs (can be generated by apache or other web servers) [source::/opt/weblogs/apache.log] sourcetype = iis
To edit props.conf:
- On the host where you want to create a source type, create
Note: You might need to create the
localdirectory. If you use an app, go to the app directory in
- With a text editor, open the
- Add a stanza for the new source type and specify any attributes that Splunk software should use when handling the source type.
[my_sourcetype] attribute1 = value attribute2 = value
Note: See the props.conf specification for a list of attributes and how they should be used.
- (Optional) If you know the name of the file (or files) to which the source type is to be applied, specify them in the
[my_sourcetype] attribute1 = value attribute2 = value <br> [source::.../my/logfile.log] sourcetype = my_sourcetype
- Save the
- Restart Splunk Enterprise. The new source types take effect after the restart completes.
Specify event breaks and time stamping
When you create a source type, there are some key attributes that you should specify:
- Event breaks. To learn how to use
props.confto specify event breaks, see Configure event linebreaking.
- Timestamps. To learn how to use
props.confto specify timestamps, see Configure timestamp recognition, as well as other topics in the "Configure timestamps" chapter of this manual.
There are also a number of additional settings that you can configure. See the props.conf specification for more information.
Override source types on a per-event basis
Manage source types
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.1.1, 7.1.2