Add Sample Data
In the Add Sample Data section, add sample data to your add-on. Any sourcetypes you have already defined for your add-on, such as the data inputs you configured from modular inputs in the Configure Data Collection section, are also listed on this page.
Uploading sample data is useful when:
- You have configured a data collection and you want to upload more sample data to create knowledge objects, such as field extractions, and to perform CIM mapping.
- Your add-on relies on native core data inputs for data collection (for example, syslog files or the HTTP Event Collector) and you use the Add-on Builder for creating knowledge objects and perform CIM mapping.
You can add sample data in two ways:
- Upload sample data from one or more files and create a sourcetype for this data input.
- Add data that is already indexed in your Splunk Enterprise instance by selecting an existing sourcetype.
Add sample data from a file
After you've added data inputs in the Configure Data Collection section, the modular inputs you created might not collect data quickly enough. To create knowledge objects right away, you can upload sample data files for your sourcetypes, for instance from historical logs.
- Note You cannot upload compressed files.
To upload a sample data file and create a sourcetype for it:
- On the Step 3: Add Sample Data page, click Add From File.
- Enter a sourcetype name for this data.
- Click Upload Data, navigate to and select the sample data file, then click Open.
- You can adjust indexing settings as needed:
- Expand the Event Breaks section and select an option that indicates how events for the data in this sourcetype should be separated:
- Auto: Events are auto-detected based on their timestamp location.
- Every Line: Every line is one event.
- Regex: Use a regular expression to define a pattern to split events.
- Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
- Expand the Advanced section to specify additional index-time parameters for parsing data.
- Click Save.
The preview displays the first 1000 events from the first 2MB of data.
Sample events are stored in a dedicated "add_on_builder_index" index.
To upload a sample data file for an existing sourcetype:
- On the Step 3: Add Sample Data page, find the sourcetype in the table and click Add Sample.
- Click Upload Data, navigate to and select the sample data file, then click Open.
- You can adjust indexing settings as needed:
- Expand the Event Breaks section and select an option that indicates how events for the data in this sourcetype should be separated:
- Auto: Events are auto-detected based on their timestamp location.
- Every Line: Every line is one event.
- Regex: Use a regular expression to define a pattern to split events.
- Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
- Expand the Advanced section to specify additional index-time parameters for parsing data.
- Click Save.
The preview displays the first 1000 events from the first 2MB of data.
Add indexed data from Splunk Enterprise
To add data that has already been indexed in Splunk Enterprise:
- On the Step 3: Add Sample Data page, click Add From Splunk.
- Select the sourcetype of the data to add.
- Click Add.
- Note Any future changes made to the original sourcetype will not be included in your add-on.
When you have finished configuring sourcetypes and uploading sample data, click Next to save your settings and continue to the next section.
Learn more
For more information, see the following Splunk Enterprise documentation:
- For sourcetypes, see Configure source types in the Getting Data In manual
- For event breaks, see Configure event line breaking in the Getting Data In manual
- For advanced settings, see props.conf in the Admin Manual
| Configure Data Collection | Extract Fields |
This documentation applies to the following versions of Splunk® Add-on Builder: 1.1.0
Download manual
Feedback submitted, thanks!