Prepare your data
Data preview works on single files only. Although it doesn't directly process network data or directories of files, you can easily get around those limitations.
Note: Data preview can only access files that are local to the machine running Splunk.
Preview network data
You can direct some sample network data into a file, which you can then feed to data preview. There are a number of external tools that can do this; a typical one in the *nix world is
netcat. For example, if you're listening to UDP data on port 514, you can use
netcat to direct some of your network data into a file:
nc -lu 514 > sample_network_data
You will probably want to run that command inside a shell script that has logic to kill
netcat once the file reaches a size of 2MB; by default, data preview reads only the first 2MB of data from a file.
After you've created the "sample_network_data" file, you can run it through data preview. Once you've finished previewing the data in the file and making any necessary changes to its event processing, you can apply any newly created source type directly to your network data.
Preview directories of files
If all the files in a directory are similar in content, then you can run data preview on just a single file and feel fairly confident that the results will be valid for all files in the directory. However, if you have directories with files of heterogenuous data, you should run data preview mulitple times, on a set of files that represent the full range of data in your directory.
File size limit
Data preview reads the first 2MB of data from the file. In most cases, this should provide a sufficient sampling of your data. If you need to sample a larger quantity of data, you can change the
max_preview_bytes attribute in limits.conf. Alternatively, you can edit the file to reduce large amounts of similar data, so that the remaining 2MB of data contains a representation of all the types of data in the original file.
Data preview and source types
View event data
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18