Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Assign the right source type to your data

This topic discusses how the "Set sourcetype" page helps you correlate the proper source type to data that you index into Splunk Enterprise.

The purpose of the "Set sourcetype" page is to help you apply the right source type to your incoming data. The source type is one of the default fields that Splunk Enterprise assigns to all incoming data. The source type determines how Splunk Enterprise formats your data during indexing. By assigning the correct source type to your data, the indexed version of the data (the event data) will look the way you want it to, with proper timestamps and event breaks.

Splunk Enterprise comes with a large number of predefined source types. When consuming data, in most cases, Splunk Enterprise attempts to automatically assign the correct source type to your data and process the data appropriately. If you have specialized data, you might need to manually select a different predefined source type to the data. In other cases, you might need to create a new source type with customized event processing settings.

The "Set sourcetype" page helps you assign the right source type to your data by showing you the results of applying any predefined source type to the data. It also allows you to modify the settings for a source type interactively, until you achieve the desired results. At that point, you can save the modifications as a new source type.

The "Set sourcetype" page lets you:

  • See what your data will look like without any changes, using the default event processing configuration that Splunk Enterprise automatically applies.
  • Apply a different source type to see whether that offers better results.
  • Modify settings for timestamps and event breaks to improve the quality of the indexed data and save the modifications as a new source type.
  • Create a new source type from scratch.

The page saves any new source types to a props.conf file, which you can later distribute across the indexers in your deployment, so that the source types are available globally. See "Data preview and distributed Splunk Enterprise" for details.

For detailed information on source types, see "Why source types matter" in this manual. In addition, several topics in the "Configure event processing", "Configure timestamps", and "Configure source types" chapters provide advanced information on source type processing.

PREVIOUS
The "Set Sourcetype" page
  NEXT
Prepare your data for previewing

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters