Splunk® Enterprise

Getting Data In

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Prepare your data for preview

The Set Source Type page works on single files only, and it accesses files that reside on the Splunk deployment or have been uploaded there. Although the Set Source Type page doesn't directly process network data or directories of files, you can work around those limitations. With Splunk Cloud Platform, you can upload any file to preview it.

Preview network data

You can direct some sample network data into a file, which you can then either upload or add as a file monitoring input. Several external tools can do this. On *nix, the most popular tool is Netcat.

For example, if you want to monitor a network device for network traffic on UDP port 514, you can use Netcat to direct some of that network data into a file. Run a command such as this one:

nc -lu 514 > sample_network_data

For best results, run the command inside a shell script that has logic to terminate the Netcat process after the file reaches 2 MB in size. By default, Splunk software reads only the first 2 MB of data from a file when you preview the data within that file.

After you've created the sample_network_data file, you can add it as an input, preview the data, and assign any new source types to the file.

Preview directories of files

If all of the files in a directory are similar in content, you can preview a single file and be confident that the results are valid for all of the files in the directory. However, if you have directories with files of heterogeneous data, be sure to preview a set of files that represents the full range of data in the directory. Preview each type of file separately, because specifying a wildcard causes Splunk Web to disable the Set Source Type page.

File size limit

Splunk Web displays the first 2 MB of data from a file in the Set Source Type page. In most cases, this amount provides a sufficient sampling of your data. If you use Splunk Enterprise, you can sample a larger quantity of data by changing the max_preview_bytes attribute in the limits.conf file. For more information about the limits.conf file, see limits.conf in the Splunk Enterprise Admin Manual.

Alternatively, you can edit the file to reduce large amounts of similar data so that the remaining 2 MB of data contains a representation of all the types of data in the original file.

Last modified on 28 November, 2022
The Set Sourcetype page   Modify event processing

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters