Splunk Cloud Platform

Use Ingest Processors

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Using source types to break and merge data in Ingest Processor

The source type is one of the default fields that Splunk software assigns to events. It identifies the kind of data that you are working with and indicates the original source of the data.

In Ingest Processor, you can create source type configurations and use them to specify the following behavior:

  • How Ingest Processor breaks and merges the inbound stream of data into distinct events. The event breaking and merging operations defined in your source type configurations are applied to inbound data if it meets the following criteria:
    • The sourcetype value of an event matches the name of a source type configuration in the Ingest Processor service.
    • The inbound data isn't already event-broken through other means, such as by the EVENT_BREAKER configuration in a universal forwarder.
  • What data a pipeline processes. When you create a pipeline, it selects a subset of data from the all_data_ready in the Ingest Processor to be processed based on your source type selection. The pipeline processes only the events that have a matching sourcetype value.

When creating a pipeline, you can combine your selected source type with other conditions to choose a more specific subset of data to process. See Partitions for more information.

By default, the Ingest Processor service includes event breaking and merging configurations for a variety of common source types. See Automatically recognized source types in the Splunk Cloud Platform Getting Data In manual for a list of default source types. If the source type that you want to work with is not listed, then you must add and configure that source type in the Ingest Processor service. You can also edit the default source types to meet your needs.

Last modified on 20 February, 2024
 

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308, 9.1.2312, 9.2.2403


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters