Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

View event data

If you arrived here from a help link.... This topic describes the initial steps of using data preview, up to the point when data preview first processes your file. If you want to learn how to adjust the results, read the "Modify event processing" topic instead.

You access data preview automatically when you start to create a file input in Splunk Web. When you start to add a new input from the Files & Directories page in Splunk Web, as described here, Splunk Web first presents you with the option to preview a file. At that point, you can give it a file to preview or you can skip data preview and continue directly to the Files & Directories input page.

Specify the file to preview

Whether you enter from Files & Directories, Splunk Web presents you with a dialog where you can select a file to preview:

1. Select the radio button, Preview data before indexing.

2. Enter the filename in the Path to file field. The file needs to be local to the machine where you're running Splunk.

3. Select the Continue button.

Splunk Web takes you to the source type selection dialog.

Note: If you don't want to preview your data, select the radio button, Skip: don't preview.

Select the source type

After you give data preview the name of a file, it presents you with a dialog where you can designate the method for selecting a source type for the file. The choices are:

  • Use auto-detected source type. In most cases, Splunk will be able to make a reasonable guess as to which source type should be applied to the data. The dialog will indicate what source type Splunk has auto-detected, and you can choose whether to preview your data using that source type. If Splunk is unable to auto-detect the source type, it will tell you and allow you select from one of the two remaining options.
  • Start a new source type. You can create a new source type from scratch.
  • Apply an existing source type. You can select a predefined source type from the dropdown list.

Make your selection and click Continue. Splunk Web takes you to the main Data Preview page, where you can view the results of applying the source type and make any necessary changes to the source type.

The data preview page

Here's an example of the Data Preview page that appears after you specify a file and a source type:

Data preview 1.png

In the main part of the page, there's a box that contains a listing of the data from your file, formatted into events by Splunk. The formatting is based on the source type you selected previously.

Green highlighting indicates the raw data Splunk is using to create the timestamp. The extracted timestamp itself is specified in the column to the left of the event.

If there's a yellow warning icon at the start of a row, mouse over it to see detailed information about problems parsing that row's event.

To the right of the event list, there's some summary information about your data:

  • File properties, such as the path and the total number of bytes in the file.
  • Preview properties, such as the number of events extracted.
  • A chart showing the event time distribution.
  • The distribution of events by linecount.

Next steps

Once you've reviewed this page, you have a choice of two actions. These options appear at the top of the page:

  • If you're satisfied with the way your events look, select continue. Splunk will take you to the page where you can specify your actual file and apply the source type you've chosen in data preview.
  • If you want to improve the formatting of your events, select adjust timestamp and event break settings. Splunk will take you to a page where you can modify various event processing settings to create a new source type for the data. For information on how to modify event processing, read the next topic, "Modify event processing".

You can also choose to preview another file. To do so, select "Choose new file" from the bottom of the page.

PREVIOUS
Prepare your data
  NEXT
Modify event processing

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters