Manage source types
Source types let you categorize your data for easier searching. To learn about source types, see Why source types matter in the Getting Data In manual.
You can add new source types in the Add-on Builder:
- By creating a new source type and uploading sample data from one or more files for this source type.
- By importing an existing source type from the Splunk platform.
Add a new source type
- On your add-on homepage, click Manage Source Types on the Add-on Builder navigation bar.
- On the Manage Source Types page, click Add and then New Source Type.
- Enter a unique source type name.
- Click Upload Data.
- Select the sample data file, then click Open.
- Adjust indexing settings as needed:
- Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
- Auto: Events are auto-detected based on their timestamp location.
- Every Line: Every line is one event.
- Regex: Use a regular expression to define a pattern to split events.
- Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
- Expand the Advanced section to specify additional index-time parameters for parsing data.
- Click Save.
The preview displays the first 1000 events from the first 2MB of data.
Sample events are stored in a dedicated "add_on_builder_index" index.
Import an existing source type
- On your add-on homepage, click Manage Source Types on the Add-on Builder navigation bar.
- On the Manage Source Types page, click Add and then Import From Splunk.
- Select a source type from the drop-down list.
- (Optional) Click Upload Data, select the sample data file, then click Open.
- Adjust indexing settings as needed:
- Expand the Event Breaks section and select an option to indicate how events should be separated:
- Auto: Events are auto-detected based on their timestamp location.
- Every Line: Every line is one event.
- Regex: Use a regular expression to define a pattern to split events.
- Expand the Timestamp section and select an option to indicate how to generate timestamps for the data.
- Expand the Advanced section to specify additional index-time parameters for parsing data.
- Click Save.
The preview displays the first 1000 events from the first 2MB of data.
Edit an existing source type
- On your add-on homepage, click Manage Source Type on the Add-on Builder navigation bar.
- Click Edit on the source type you want to edit.
- (Optional) Click Upload Data, navigate to and select the sample data file, then click Open.
- Adjust indexing settings as needed:
- Expand the Event Breaks section and select an option that indicates how to separate events:
- Auto: Events are auto-detected based on their timestamp location.
- Every Line: Every line is one event.
- Regex: Use a regular expression to define a pattern to split events.
- Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
- Expand the Advanced section to specify additional index-time parameters for parsing data.
The preview displays the first 1000 events from the first 2MB of data.
Learn more
- Configure source types in the Getting Data In manual
- Configure event line breaking in the Getting Data In manual
- props.conf in the Admin Manual
Create a setup page | Extract fields |
This documentation applies to the following versions of Splunk® Add-on Builder: 4.1.0
Feedback submitted, thanks!