Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

Upload Sample Data

In the Upload Sample Data section, configure the sourcetypes used by your add-on and upload sample data files.

Uploading sample data is useful when:

  • You have configured a data collection and you want to upload more sample data to create knowledge objects, such as field extractions, and to perform CIM mapping.
  • Your add-on relies on native core data inputs for data collection (for example, syslog files or the HTTP Event Collector) and you use the Add-on Builder for creating knowledge objects and perform CIM mapping.


The sourcetypes you created for your data inputs are listed on this page. You can also add sourcetypes for data inputs in addition to those you created for your add-on (for example, for core data inputs in Splunk Enterprise).

AddonBuilder 3UploadData.png

Once you have added sourcetypes to your add-on, you can manage them from this page. Sourcetypes you create for your add-on also appear on the Settings > Source Types page.

Add and edit sourcetypes

In addition to the sourcetypes you created for your data inputs, you might need to add additional sourcetypes for data inputs that have already been configured in Splunk Enterprise. To create knowledge objects for these sourcetypes, such as field extractions, add these sourcetypes to your add-on.

To add a sourcetype:

  1. On the Step 3: Upload Sample Data page, click Add Sourcetype.
  2. Enter a sourcetype name.
  3. Expand the Event Breaks section and select an option that indicates how events for the data in this sourcetype should be separated:
    • Auto: Events are auto-detected based on their timestamp location.
    • Every Line: Every line is one event.
    • Regex: Use a regular expression to define a pattern to split events.
  4. Optionally, expand the Advanced section to specify additional index-time parameters for parsing data.

    5. If you have sample data in JSON or XML format, add the following advanced parameter, which extracts field-value pairs separated by the equals (=) sign:

    Name: "KV_MODE"
    Value: "auto"
  5. Click Save.


To modify the settings for a sourcetype:

  1. On the Step 3: Upload Sample Data page, click Edit for a sourcetype.
  2. Modify the settings, then click Save.

Upload sample data

After you've created sourcetypes for your add-on, you can create knowledge objects from them. However, the modular inputs you created might not collect data quickly enough. And, new sourcetypes you added for newly-created inputs will not have any data. To create knowledge objects right away, you can upload sample data files for your sourcetypes, for instance from historical logs.

To upload a sample data file for a sourcetype:

  1. On the Step 3: Upload Sample Data page, click Upload for a sourcetype.
  2. Navigate to the sample data file and click Open. Sample events are stored in a dedicated "add_on_builder_index" index.


When you have finished configuring sourcetypes and uploading sample data, click Next to save your settings and continue to the next section.

Learn more

For more information, see the following Splunk Enterprise documentation:

Last modified on 29 June, 2016
Configure Data Collection   Extract Fields

This documentation applies to the following versions of Splunk® Add-on Builder: 1.0.0, 1.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters