Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

The data preview window

This topic gives you an example of the data preview page and gives you information about the subtle differences in what Splunk Web displays depending on the choice you made in the "Select the source type" dialog box.


The following graphic is an example of the data preview page that appears after you specify a file and a source type:

61 datapreview.png

The data-preview page has and upper and lower section. The upper section provides controls that let you determine how Splunk Enterprise displays the preview data, which it displays in the lower section.

The lower, main section displays a listing of the data from your file, formatted into events by Splunk. The formatting is based on the source type you selected previously. This section changes depending on the options you click in the upper section of the page.

In the event listing, Splunk Web shows the extracted timestamp itself in the column to the left of each event.

If there's a yellow warning icon at the start of a row, you can mouse over it to see detailed information about problems that Splunk Enterprise encountered when parsing the event in that row.

To the right of the event list, there is some summary information about your data:

  • File properties, such as the path and the total number of bytes in the file.
  • Preview properties, such as the number of events extracted.
  • A chart showing the event time distribution.
  • The distribution of events by linecount.

As discussed previously, the controls that Splunk Web displays depend on the option that you chose in "Select the source type" above. Read below for additional information on the subtle - but significant - differences.

Structured data preview

61 datapreview structured.png

When Splunk Enterprise automatically detects the source type of file that you chose to preview, it displays this type in the "Select the source type" dialog box.

If you choose the option to use the detected source type, Splunk Web displays the "structured" data preview page. This page has the "Timestamps" and "Advanced mode" tabs available. The Timestamps tab lets you iterate changes to the previewed data based on various timestamp-related variables. The "Advanced Mode" tab lets you see (and edit) exactly what Splunk Enterprise puts into props.conf when you save the source type after making modifications to it.

Unstructured data preview

61 datapreview unstructured.png

When Splunk Enterprise is not able to automatically detect the file's source type, or you choose not to use the source type it detects, Splunk Web loads the "unstructured" data preview page. This page is similar to the structured data preview page, with the following exceptions:

  • The page has a drop-down list box that allows you to change the source type of the data that you are previewing. By default, the drop-down list shows "Unstructured data" which means that Splunk Enterprise does not attempt to break the file up into events.
  • An "Event Breaks" tab is available. This tab allows you to control how Splunk Enterprise breaks up individual lines in the file into events.

Source type-based data preview

61 datapreview sourcetype.png

When you choose to apply an existing source type to a file, Splunk Web displays the "source type-based" data preview page. This page differs depending on how the source type has been defined on the Splunk Enterprise instance.

You might see the following additional tabs, depending on the source type:

  • The "General" tab allows you to choose characters that separate fields in your file, such as , (comma), tab, space, or | (pipe). It also lets you set up a regular expression to ignore the preamble - the beginning - lines in a file that should not be indexed.
  • The "Headers" tab is similar to the General tab, but defines where in your file the headers are. You can define headers by specifying a pattern, providing the line number from within the file, or by specifying the header fields directly.

Next steps

Once you've reviewed this page, you have a choice of two actions with the file you are currently previewing:

  • If you're satisfied with the way your events look, select Continue on the lower right side of the page. Splunk Enterprise takes you to the page where you can specify your actual file and apply the source type you've chosen in data preview.
  • If you want to improve the formatting of your events, select items in the upper section of the page to modify the various event processing settings for the data. For information on how to modify event processing, read the next topic, "Modify event processing".

You can also choose to preview another file. To do so, select "Choose new file" from the lower left side of the page.

View event data
Modify event processing

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters