
Override automatic source type assignment
Splunk software attempts to assign a source type to your data automatically. You can specify what source type to assign. You can also configure Splunk software so that it assigns a source type based on either the data input or the data source.
For details on the precedence rules that Splunk software uses to assign source types to data, read How Splunk software assigns source types.
Overrides only work on file and directory monitoring inputs or files you have uploaded. You cannot override the source type on network inputs. Additionally, overrides only affect new data that arrives after you set up the override. To correct the source types of events that have already been indexed, create a tag for the source type instead.
This topic describes how to specify a source type based for data based on its input and source.
Specify source type for an input
You can assign the source type for data coming from a specific input, such as /var/log/
. If you have Splunk Enterprise, you do this in Splunk Web or by editing the inputs.conf
configuration file. If you have Splunk Cloud, use Splunk Web to define source types.
Note: While assigning source type by input seems like a simple way to handle things, it is not very granular--when you use it, Splunk software assigns the same source type to all data from an input, even if some of the data comes from different sources or hosts. To bypass automatic source type assignment in a more targeted manner, you can assign source types based on the source of the data, as described later in this topic.
Use Splunk Web
When you define a data input, you can set a source type value to be applied to all incoming data from that input. You can pick a source type from a list or enter your own source type value.
To select a source type for an input, change the source type settings for the data input type you want to add. For example, for file inputs:
- Click Settings in the upper right-hand corner of Splunk Web.
- In the Data section of the Settings pop-up, click Data Inputs.
- Click Files & Directories.
- Click the New button to add an input.
- In the "Add Data" page, browse or enter the name of the file you want to monitor, then click "Next".
- In the "Set Sourcetype" page, click the "Sourcetype" drop-down and choose from the list of pretrained source types. Splunk Web updates the page to show how the data looks when it receives the new source type.
- If you want to make changes to the source type, use the "Event Breaks", "Timestamp", and "Advanced" tabs to modify settings and refresh the data preview. See The Set Sourcetype page in this manual.
- If you want to save the source type as a different name, click Save As… to open a dialog box to save the new source type. Otherwise, proceed to Step 10.
- If you chose to save the source type, Splunk Web displays the "Save Sourcetype" dialog. Enter the name, description, category, and app that the source type should apply to. See Save modifications as a new source type.
- Click "Next" to set the source type for the data and proceed to the Input settings page.
Splunk software now assigns your selected source type to all events it indexes for that input.
Use the inputs.conf configuration file
When you configure an input in inputs.conf, you can specify a source type for the input. Edit inputs.conf
in $SPLUNK_HOME/etc/system/local/
or in your own custom application directory in $SPLUNK_HOME/etc/apps/
. For information on configuration files in general, see About configuration files in the Admin manual.
To specify a source type, include a sourcetype
attribute within the stanza for the input. For example:
[tcp://:9995] connection_host=dns sourcetype=log4j source=tcp:9995
This example sets the source type to "log4j" for any events coming from your TCP input on port 9995.
Caution: Do not put quotes around the attribute value: sourcetype=log4j
, not sourcetype="log4j"
.
Specify source type for a source
Use props.conf to override automated source type matching and explicitly assign a single source type to all data coming from a specific source.
Edit props.conf
in $SPLUNK_HOME/etc/system/local/
or in your own custom application directory in $SPLUNK_HOME/etc/apps/
. For information on configuration files in general, see About configuration files.
If you want to override a source type, you must configure the setting in props.conf on the forwarder where the input is configured.
To override source type assignment, add a stanza for your source to props.conf
.
In the stanza, identify the source path, using regular expression (regex) syntax for flexibility if necessary. Then specify the source type by including a sourcetype
attribute. For example:
[source::.../var/log/anaconda.log(.\d+)?] sourcetype=anaconda
This example sets the source type to "anaconda" for events from any sources containing the string /var/log/anaconda.log
followed by any number of numeric characters.
Your stanza source path regular expressions (such as [source::.../web/....log]
) should be as specific as possible. Avoid using a regex that ends in "...". For example, do not do this:
[source::/home/fflanda/...] sourcetype=mytype
This is dangerous. It tells Splunk software to process any gzip files in /home/fflanda
as "mytype" files rather than gzip files.
Instead, write:
[source::/home/fflanda/....log(.\d+)?] sourcetype=mytype
PREVIOUS Why source types matter |
NEXT Configure rule-based source type recognition |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.11, 6.3.1, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0, 8.1.1, 7.0.13, 7.0.2
Feedback submitted, thanks!