Prepare your data for previewing
This topic discusses how to prepare your data to be viewed in the Splunk Enterprise "Set sourcetype" page.
The "Set Sourcetype" page works on single files only, and can only access files that are on the Splunk Enterprise instance or have been uploaded there. Although it doesn't directly process network data or directories of files, you can easily get around those limitations.
Preview network data
You can direct some sample network data into a file, which you can then either upload or add as a file monitoring input. There are a number of external tools that can do this; a typical one in the *nix world is
netcat. For example, if you're listening to UDP data on port 514, you can use
netcat to direct some of your network data into a file:
nc -lu 514 > sample_network_data
It is best practice to run the command inside a shell script that has logic to kill
netcat once the file reaches a size of 2MB. By default, data preview reads only the first 2MB of data from a file.
After you've created the "sample_network_data" file, you can add it like a normal input (either by uploading it or adding it as a file input.) Splunk Enterprise brings up the "Set sourcetypes" page as part of the input definition process. Once you have previewed the file and made any necessary changes to its event processing, you can apply any newly created source type directly to the file.
Preview directories of files
If all the files in a directory are similar in content, then you can preview a single file and feel fairly confident that the results will be valid for all files in the directory. However, if you have directories with files of heterogeneous data, you should preview a set of files that represents the full range of data in the directory. This means that you should preview each type of file separately, as specifying any wildcard causes Splunk Enterprise to disable the "Set Sourcetype" page.)
File size limit
Splunk Enterprise reads and displays the first 2MB of data from a file in the "Set Sourcetypes" page. In most cases, this should provide a sufficient sampling of your data. If you need to sample a larger quantity of data, you can change the
max_preview_bytes attribute in limits.conf. Alternatively, you can edit the file to reduce large amounts of similar data, so that the remaining 2MB of data contains a representation of all the types of data in the original file.
Assign the right source type to your data
View and set source types for event data
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15