Splunk® Supported Add-ons

Splunk Add-ons

Source types for add-ons

All Splunk supported add-ons have one or more predefined source types to identify the type of data the add-on collects from the third-party system. Many source types support data models in the Common Information Model.

Source type naming conventions

Source type names use the following format:

vendor:product:technology:format

The shortest source type name is used to distinguish it from other source types. For example, if the vendor provides only a single format, then :format is not included in the source type name. If the vendor's product does not provide different log formats or sources for different technologies, then :technology is not included in the source type name. For example, the Splunk Add-on for OSSEC has a single source type called ossec. This source type name uses only one of the naming components because the add-on collects only one kind of data from the vendor, OSSEC.

Search using add-on source types

The source type naming format enables you to use wildcards at the end of a search term when you run a search to achieve the desired level of abstraction in the search results.

For example, you can run the following search to retrieve all Cisco logs.

sourcetype=cisco:*

Run the following search to retrieve all Cisco ESA logs.

sourcetype=cisco:esa:*

Run the following search to retrieve only the Cisco ESA textmail format logs.

sourcetype=cisco:esa:textmail

Setting source type for inputs

Some Splunk add-ons have preconfigured inputs set to the appropriate source type for the third-party technology. During index time, the add-on separates the data into specific source types if there is more than one source type included with the add-on.

For add-ons that require you to create inputs to retrieve data from the third-party system, you must set the source type to a specific source type for the add-on technology as referenced in the documentation for the add-on. This source type tells the Splunk platform how to format the events during indexing. The CIM mappings and any dashboard panels provided with the add-on are also dependent on this source type. If the data inputs are not set to the correct source type, the CIM mappings and dashboard panels included with the add-on will not work.

For more information about source types, see Why source types matter in the Splunk Enterprise Getting Data In manual.

Last modified on 21 July, 2021
Add-ons and CIM   Add-ons and indexes

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters