View and set source types for event data
This topic describes how to preview incoming data and set or create the source type for that data in Splunk Enterprise.
You access the feature automatically when you create a file input in Splunk Web. When you start to add a new input from the Files & Directories page for a single file in Splunk Web, or upload a file, as described here, Splunk Web presents the "Set sourcetypes" page.
At that point, you can see how Splunk Enterprise will index your data. Then, you can either modify that and define a new source type, choose an existing source type, or accept the recommend source type and continue directly to the input settings page.
Review and set source types
After you choose the file you want to monitor in the Files & Directories Add Data panel or upload a file from the Upload page, Splunk Web presents the "Set Sourcetypes" page.
The page has three sections. The top section provides instructions on how to use the page. The bottom left section has controls which let you select and define a new source type, including setting event break, timestamp, and other options. The bottom right section - the "data preview pane" - provides a window into how Splunk Enterprise sees the data currently. The actions you take in the lower left section reflect immediately in the lower right section.
At any time, you can return to the previous page and select a new file to preview by clicking the white "<" button in the top section.
1a. First, look at how Splunk Enterprise displays the data currently. How it displays here is how it will be indexed. Review event breaks and time stamps.
1b. You can use the Event Summary pop-up dialog to show the number of lines that Splunk Enterprise counted when parsing the file. A lower number of lines counted in the file than you expect can indicate the need to customize event breaking.
2a. If the data appears the way you want, then proceed to Step 3a.
2b. If the data does not appear the way you want, proceed to "Choose an existing source type" later in this topic to change source type parameters until it does.
3a. If you agree with the existing source type that Splunk Enterprise selected, click the green "Next" button in the top section to proceed to the Input Settings page. The data preview process is now complete.
3b. If you do not agree with the existing source type that Splunk Enterprise selects, Splunk Enterprise does not choose a source type, or you want to define a new source type, then you can do one of the following:
- Choose an existing source type. Splunk Enterprise indexes your data with this source type going forward. Caution: Choosing a different source type might change how Splunk Enterprise displays - and indexes - your data.
- Save a new source type. In rare cases, Splunk Enterprise parses the data correctly but doesn't provide an existing source type to use. In this case, you can save the source type and apply it to similar files in the future.
4. Once you have chosen or saved a source type, click on the green "Next" button in the top section to proceed to the Input Settings page. The data preview process is now complete.
Choose an existing source type
If Splunk Enterprise doesn't display the data the way you want initially, first see if there is an existing source type that works.
If you try to choose an existing source type and do not find success, then proceed to "Define a new source type" later in this topic for additional options to make your data display the way you like.
1. Click the Sourcetype: System Defaults button.
Splunk Enterprise displays a list of source type categories. Under each category is a list of source types within that category.
2. Mouse over the category that best represents your data. As you do, the source types under that category pop up in a menu to the right.
3. Select the source type that you feel best represents your data. Splunk Enterprise updates the data preview pane to show how the data looks under the new source type.
Note: You might need to scroll to see all source types in a category.
4. Review your data again, as described in "Review and set source types" earlier in this topic.
Define a new source type
If Splunk Enterprise does not show the data in the way you want even after choosing an existing source type, then define a new source type and configure event breaks, time stamp recognition, and other parameters until Splunk Enterprise displays the data to your liking.
To modify these parameters and define the source type, proceed to "Modify event processing" in this manual.
Prepare your data for previewing
Modify event processing
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15