Create source types
You can create new source types in two ways:
- Use the "Set Sourcetype" in Splunk Web
- Edit the
props.confconfiguration file directly
Set the source type in Splunk Web
The "Set Sourcetype" page in Splunk Web provides an easy way to view the effects of applying a source type to your data and to make adjustments to the source type settings as necessary. You can save your changes as a new source type, which you can then assign to data inputs.
The page lets you make the most common types of adjustments to timestamps and event breaks. For other modifications, it lets you edit the underlying
props.conf file directly. As you change settings, you can immediately see the changes to the event data.
The page appears only when you specify or upload a single file. It does not appear when you specify any other type of source.
To learn more about the page, see "The "Set Sourcetype" page" in this manual.
You can create a new source type by editing
props.conf and adding a new stanza. For detailed information on
props.conf, read the props.conf specification in the Admin manual. For information on configuration files in general, see "About configuration files" in the Admin manual.
The following is an example of an entry in props.conf. This entry defines the
access_combined source type and then assigns that source type to files that match the specified source. You can specify multiple files or directories in a source by using a regular expression.
[access_combined] pulldown_type = true maxDist = 28 MAX_TIMESTAMP_LOOKAHEAD = 128 REPORT-access = access-extractions SHOULD_LINEMERGE = False TIME_PREFIX = \[ category = Web description = National Center for Supercomputing Applications (NCSA) combined fo rmat HTTP web server logs (can be generated by apache or other web servers) [source::/opt/weblogs/apache.log] sourcetype = iis
To edit props.conf:
1. On the host where you want to create a source type, make a copy of
$SPLUNK_HOME/etc/system/default/props.conf and save it in
Note: You might need to create the
local directory. If you use an app, go to the app directory in
2. Using a text editor, open the
props.conf file in
3. Add a stanza for the new source type and specify any attributes that Splunk Enterprise should use when handling the source type.
[my_sourcetype] attribute1 = value attribute2 = value
Note: See the props.conf specification for a list of attributes and how they should be used.
4. Optionally, if you know the name of the file (or files) that Splunk Enterprise should apply the source type to, you can specify them with the
[my_sourcetype] attribute1 = value attribute2 = value [source::.../my/logfile.log] sourcetype = my_sourcetype
5. Save the
6. Restart Splunk Enterprise. The new source types take effect after the restart completes.
Specify event breaks and time stamping
When you create a source type, there are some key attributes that you should specify:
- Event breaks. To learn how to use
props.confto specify event breaks, see "Configure event linebreaking".
- Timestamps. To learn how to use
props.confto specify timestamps, see "Configure timestamp recognition", as well as other topics in the "Configure timestamps" chapter of this manual.
There are also a number of additional settings that you can configure. See the props.conf specification for more information.
Override source types on a per-event basis
Rename source types at search time
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15