Splunk® Enterprise

Getting Data In

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Create source types

You can create new source types on the Splunk platform in several ways:

  • Use the Set Source Type page in Splunk Web as part of adding the data.
  • Create a source type in the Source types management page, as described in Add Source Type.
  • Add source types using Edge Processors. See Add Source Types for Edge Processors in the Use Edge Processors manual.
  • Edit the props.conf configuration file. This option isn't available on Splunk Cloud Platform unless you define the source types on a universal forwarder and send them to Splunk Cloud Platform.

Although you can configure individual forwarders to create source types by editing the configuration files that reside on the forwarders, a best practice for creating source types is to use Splunk Web to guarantee that source types are consistent across your Splunk platform deployment.

Set the source type as part of creating a data input in Splunk Web

The Set Source Type page in Splunk Web lets you view the effects of applying a source type to your data. It also lets you make adjustments to the source type settings as necessary. You can save your changes as a new source type, which you can then assign to data inputs.

The page lets you make the most common types of adjustments to timestamps and event breaks. For other modifications, it lets you edit the underlying props.conf file directly. As you change settings, you can immediately see how the changes affect the event data.

The page appears only when you specify or upload a single file. It doesn't appear when you specify any other type of data source.

To learn more about the Set Source Type page and how to assign source types to your data, see Assign the correct source types to your data.

You can also use the Source types management page to create a new source type. See Add Source Type.

Edit the props.conf configuration file to create a source type

If you use Splunk Enterprise, you can create a new source type by editing the props.conf configuration file and adding a new source type stanza. For detailed information on the props.conf file, read the props.conf specification in the Splunk Enterprise Admin Manual. For information on configuration files in general, see About configuration files in the the Splunk Enterprise Admin Manual.

The following entry is an example of an entry in the props.conf file. This entry defines the access_combined source type and then assigns that source type to files that match the specified source. You can configure multiple files or directories in a source by using a regular expression.

[access_combined]
pulldown_type = true 
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
category = Web
description = National Center for Supercomputing Applications (NCSA) combined fo
rmat HTTP web server logs (can be generated by apache or other web servers)

[source::/opt/weblogs/apache.log]
sourcetype = access_combined

To edit the props.conf file, follow these steps:

  1. On the machine where you want to create a source type, create the $SPLUNK_HOME/etc/system/local/props.conf file if it doesn't already exist.

    You might need to create the local directory. If you use an app, go to the app in the $SPLUNK_HOME/etc/apps directory.

  2. Using a text editor, open the the props.conf file in $SPLUNK_HOME/etc/system/local directory.
  3. Add a stanza for the new source type and specify any settings that Splunk software is to use when handling the source type.

    [my_sourcetype]
    setting1 = value
    setting2 = value
    


    See the props.conf specification in the Splunk Enterprise Admin Manual for a list of settings.

  4. (Optional) If you know the name of the file to which the source type is to be applied, specify them in the [source::<source>] stanza:

    [my_sourcetype]
    setting1 = value
    setting2 = value
    <br>
    [source::.../my/logfile.log]
    sourcetype = my_sourcetype
    

  5. Save the props.conf file.
  6. Restart Splunk Enterprise. The new source types take effect after the restart completes.

Specify event breaks and time stamps

When you create a source type, there are some important settings to specify:

  • Event breaks: To learn how to use the props.conf file to specify event breaks, see Configure event line breaking.
  • Timestamps: To learn how to use the props.conf file to specify timestamps, see Configure timestamp recognition, as well as other topics in the Configure timestamps chapter of this manual.

There are also a number of additional settings that you can configure for event breaks and time stamps. See the props.conf specification in the Splunk Enterprise Admin Manual for more information.

Last modified on 28 March, 2024
Override source types on a per-event basis   Manage source types

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters