Prepare your data for preview
The Set Source Type page works on single files only, and it accesses files that reside on the Splunk deployment or have been uploaded there. Although the Set Source Type page doesn't directly process network data or directories of files, you can work around those limitations. With Splunk Cloud Platform, you can upload any file to preview it.
Preview network data
You can direct some sample network data into a file, which you can then either upload or add as a file monitoring input. Several external tools can do this. On *nix, the most popular tool is Netcat.
For example, if you want to monitor a network device for network traffic on UDP port 514, you can use Netcat to direct some of that network data into a file. Run a command such as this one:
nc -lu 514 > sample_network_data
For best results, run the command inside a shell script that has logic to terminate the Netcat process after the file reaches 2 MB in size. By default, Splunk software reads only the first 2 MB of data from a file when you preview the data within that file.
After you've created the sample_network_data file, you can add it as an input, preview the data, and assign any new source types to the file.
Preview directories of files
If all of the files in a directory are similar in content, you can preview a single file and be confident that the results are valid for all of the files in the directory. However, if you have directories with files of heterogeneous data, be sure to preview a set of files that represents the full range of data in the directory. Preview each type of file separately, because specifying a wildcard causes Splunk Web to disable the Set Source Type page.
File size limit
Splunk Web displays the first 2 MB of data from a file in the Set Source Type page. In most cases, this amount provides a sufficient sampling of your data. If you use Splunk Enterprise, you can sample a larger quantity of data by changing the max_preview_bytes
attribute in the limits.conf file. For more information about the limits.conf file, see limits.conf in the Splunk Enterprise Admin Manual.
Alternatively, you can edit the file to reduce large amounts of similar data so that the remaining 2 MB of data contains a representation of all the types of data in the original file.
The Set Sourcetype page | Modify event processing |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12
Feedback submitted, thanks!