Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. Click here for the latest version.Download topic as PDF
The following are the spec and example files for
# Version 7.2.3 # # This file contains all possible options for configuring settings for the # file classifier in source-classifier.conf. # # There is a source-classifier.conf in $SPLUNK_HOME/etc/system/default/ To # set custom configurations, place a source-classifier.conf in # $SPLUNK_HOME/etc/system/local/. For examples, see # source-classifier.conf.example. You must restart Splunk to enable # configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles ignored_model_keywords = <space-separated list of terms> * Terms to ignore when generating a sourcetype model. * To prevent sourcetype "bundles/learned/*-model.xml" files from containing sensitive terms (e.g. "bobslaptop") that occur very frequently in your data files, add those terms to ignored_model_keywords. ignored_filename_keywords = <space-separated list of terms> * Terms to ignore when comparing a new sourcename against a known sourcename, for the purpose of classifying a source.
# Version 7.2.3 # # This file contains an example source-classifier.conf. Use this file to # configure classification # of sources into sourcetypes. # # To use one or more of these configurations, copy the configuration block # into source-classifier.conf in $SPLUNK_HOME/etc/system/local/. You must # restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # terms to ignore when generating sourcetype model to prevent model from # containing servernames ignored_model_keywords = sun mon tue tues wed thurs fri sat sunday monday tuesday wednesday thursday friday saturday jan feb mar apr may jun jul aug sep oct nov dec january february march april may june july august september october november december 2003 2004 2005 2006 2007 2008 2009 am pm ut utc gmt cet cest cetdst met mest metdst mez mesz eet eest eetdst wet west wetdst msk msd ist jst kst hkt ast adt est edt cst cdt mst mdt pst pdt cast cadt east eadt wast wadt # terms to ignore when comparing a sourcename against a known sourcename ignored_filename_keywords = log logs com common event events little main message messages queue server splunk
Last modified on 22 December, 2018
This documentation applies to the following versions of Splunk® Enterprise: 7.2.3
Feedback submitted, thanks!