Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create source types

You can create new source types in two ways:

  • Use the "Set Sourcetype" in Splunk Web
  • Edit the props.conf configuration file directly

Set the source type in Splunk Web

The "Set Sourcetype" page in Splunk Web provides an easy way to view the effects of applying a source type to your data and to make adjustments to the source type settings as necessary. You can save your changes as a new source type, which you can then assign to data inputs.

The page lets you make the most common types of adjustments to timestamps and event breaks. For other modifications, it lets you edit the underlying props.conf file directly. As you change settings, you can immediately see the changes to the event data.

The page appears only when you specify or upload a single file. It does not appear when you specify any other type of source.

To learn more about the page, see "The "Set Sourcetype" page" in this manual.

Edit props.conf

You can create a new source type by editing props.conf and adding a new stanza. For detailed information on props.conf, read the props.conf specification in the Admin manual. For information on configuration files in general, see "About configuration files" in the Admin manual.

The following is an example of an entry in props.conf. This entry defines the access_combined source type and then assigns that source type to files that match the specified source. You can specify multiple files or directories in a source by using a regular expression.

[access_combined]
pulldown_type = true 
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
category = Web
description = National Center for Supercomputing Applications (NCSA) combined fo
rmat HTTP web server logs (can be generated by apache or other web servers)

[source::/opt/weblogs/apache.log]
sourcetype = iis

To edit props.conf:

1. On the host where you want to create a source type, make a copy of $SPLUNK_HOME/etc/system/default/props.conf and save it in $SPLUNK_HOME/etc/system/local.

Note: You might need to create the local directory. If you use an app, go to the app directory in $SPLUNK_HOME/etc/apps.

2. Using a text editor, open the props.conf file in $SPLUNK_HOME/etc/system/local.

3. Add a stanza for the new source type and specify any attributes that Splunk Enterprise should use when handling the source type.

[my_sourcetype]
attribute1 = value
attribute2 = value

Note: See the props.conf specification for a list of attributes and how they should be used.

4. Optionally, if you know the name of the file (or files) that Splunk Enterprise should apply the source type to, you can specify them with the [source::<source>] stanza:

[my_sourcetype]
attribute1 = value
attribute2 = value

[source::.../my/logfile.log]
sourcetype = my_sourcetype

5. Save the props.conf file.

6. Restart Splunk Enterprise. The new source types take effect after the restart completes.

Specify event breaks and time stamping

When you create a source type, there are some key attributes that you should specify:

There are also a number of additional settings that you can configure. See the props.conf specification for more information.

PREVIOUS
Override source types on a per-event basis
  NEXT
Rename source types at search time

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters