Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Prepare your data for previewing

This topic discusses how to prepare your data to be viewed in the Splunk Enterprise "Set sourcetype" page.

The "Set Sourcetype" page works on single files only, and can only access files that are on the Splunk Enterprise instance or have been uploaded there. Although it doesn't directly process network data or directories of files, you can easily get around those limitations.

Preview network data

You can direct some sample network data into a file, which you can then either upload or add as a file monitoring input. There are a number of external tools that can do this; a typical one in the *nix world is netcat. For example, if you're listening to UDP data on port 514, you can use netcat to direct some of your network data into a file:

nc -lu 514 > sample_network_data

It is best practice to run the command inside a shell script that has logic to kill netcat once the file reaches a size of 2MB. By default, data preview reads only the first 2MB of data from a file.

After you've created the "sample_network_data" file, you can add it like a normal input (either by uploading it or adding it as a file input.) Splunk Enterprise brings up the "Set sourcetypes" page as part of the input definition process. Once you have previewed the file and made any necessary changes to its event processing, you can apply any newly created source type directly to the file.

Preview directories of files

If all the files in a directory are similar in content, then you can preview a single file and feel fairly confident that the results will be valid for all files in the directory. However, if you have directories with files of heterogeneous data, you should preview a set of files that represents the full range of data in the directory. This means that you should preview each type of file separately, as specifying any wildcard causes Splunk Enterprise to disable the "Set Sourcetype" page.)

File size limit

Splunk Enterprise reads and displays the first 2MB of data from a file in the "Set Sourcetypes" page. In most cases, this should provide a sufficient sampling of your data. If you need to sample a larger quantity of data, you can change the max_preview_bytes attribute in limits.conf. Alternatively, you can edit the file to reduce large amounts of similar data, so that the remaining 2MB of data contains a representation of all the types of data in the original file.

Assign the right source type to your data
View and set source types for event data

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters