Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

Add sample data

The Add Sample Data page lets you add your own sample data to your add-on. Any source types you have already defined for your add-on, such as the data inputs you configured from modular inputs in the Configure Data Collection section, are also listed on this page.

Uploading sample data is useful when:

  • You have configured a data collection and you want to upload more sample data to create knowledge objects such as field extractions and to perform CIM mapping.
  • Your add-on relies on native core data inputs for data collection (for example, syslog files or the HTTP Event Collector) and you want to use the Add-on Builder to create knowledge objects and perform CIM mapping.

You can add sample data in two ways:

  • Upload sample data from one or more files and create a source type for this data input.
  • Add data that is already indexed in your Splunk Enterprise instance by selecting an existing source type.

Sample data counts against your license.

If you want to use Splunk Enterprise sample data for these steps, see Get tutorial data into Splunk

Add your own sample data from a file

After you add data inputs in the Configure Data Collection section, you can use the Add-on Builder to upload your own sample data files for your source types. This can be helpful when you want to create knowledge objects immediately, instead of waiting for newly created modular inputs to collect necessary data.


You cannot upload compressed files.

To upload a sample data file and create a source type

  1. On your add-on homepage, click Add Sample Data on the Add-on Builder navigation bar.
  2. On the Add Sample Data page, click Add From File.
  3. Enter a source type name for this data.
  4. Click Upload Data
  5. navigate to and select the sample data file, then click Open. The preview displays the first 1000 events from the first 2MB of data.
  6. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.
  7. Click Save.

    8. Sample events are stored in a dedicated "add_on_builder_index" index.

To upload a sample data file for an existing source type

  1. On your add-on homepage, click Add Sample Data on the Add-on Builder navigation bar.
  2. On the Add Sample Data page, find the source type in the table and click Add Sample.
  3. Click Upload Data, navigate to and select the sample data file, then click Open.

    4. The preview displays the first 1000 events from the first 2MB of data.

  4. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Each line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.
  5. Click Save.

Add indexed data from Splunk Enterprise

To add data that has already been indexed in Splunk Enterprise

  1. On your add-on homepage, click Add Sample Data on the Add-on Builder navigation bar.
  2. On the Add Sample Data page, click Add From Splunk.
  3. Select the source type of the data to add.
  4. Click Add.

Any future changes made to the original source type will not be included in your add-on.

Learn more

For more information, see the following Splunk Enterprise documentation:

Last modified on 22 January, 2021
Create a setup page   Manage source types

This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0, 3.0.0, 3.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters