Splunk® Enterprise

Getting Data In

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Modify event processing

You can change the event processing settings and save the improved settings as a new source type.

  1. View the event data, as described in Assign the correct source types to your data.
  2. Modify the event processing settings.
  3. Review the effect of your changes until you are satisfied.
  4. Save the modified settings as a new source type.
  5. Apply the new source type to any of your inputs.

Modify the event processing settings

To create the new source type, use the event-breaking and timestamp settings, then save the source type.

On the Set Source Type page, you can make three types of adjustments using the following collapsible tabs:

  • Event Breaks. Adjust the way that breaks the data into events.
  • Timestamps. Adjust the way determines event timestamps.
  • Advanced tab. If you have Splunk Enterprise, edit props.conf.

Modify event breaks

To modify event break parameters, click Event Breaks. You can choose the following break types:

  • Auto. Break events based on the location of timestamps in the data.
  • Every line. Consider every line a single event.
  • Regex... Use the specified regular expression to break data into events.

For information on line breaking, see Configure event line breaking. You can test your regular expression by using it in a search with the rex search command.

Modify timestamps

To modify timestamp recognition parameters, click the Timestamps tab to expand it.

You can choose from these extraction options:

  • Auto. Locate the timestamp automatically.
  • Current Time. Uses the current system time.
  • Advanced. Specify additional advanced parameters to adjust the timestamp.

Then, you can configure additional advanced parameters:

  • Timezone. The time zone that you want to use for the events.
  • Timestamp format. A string that represents the timestamp format for to use when searching for timestamps in the data. See Configure timestamp recognition.
  • Timestamp prefix. A regular expression that represents the characters that appear before a timestamp.
  • Lookahead. The number of characters that looks either into the event, or for the regular expression that you specified in "Timestamp prefix" for the timestamp.

If you specify a timestamp format in the Timestamp format field and the timestamp is not located at the very start of each event, you must also specify a prefix in the Timestamp prefix field. Otherwise, the Splunk platform can't process the formatting instructions, and every event will contain a warning about the inability to use strptime. It's possible that you still end up with a valid timestamp, based on how the Splunk platform attempts to recover from the problem.

For information on configuring timestamps, see How timestamp assignment works.

Make advanced modifications

To modify advanced parameters, click the Advanced tab. The tab shows options that let you specify source type properties by editing the underlying props.conf file.

You can add or change source type properties by specifying setting/value pairs. See the props.conf configuration file in the Admin Manual for details on how to set these properties.

The Advanced tab shows the current complete set of properties for the selected source type:

  • Settings generated by changes made in the Event Breaks or Timestamps tabs after you click Apply.
  • Preexisting settings for a source type that was either auto-detected or manually selected when you first previewed the file.
  • Settings you apply from the Additional settings text box after you click Apply settings.

For information on how to set source type properties, see props.conf in the Admin Manual. See also How timestamp assignment works and Configure event line breaking.

How combines settings

The settings changes you make in Advanced tab take precedence. For example, if you alter a timestamp setting using the Timestamps tab and also make a conflicting timestamp change in Advanced tab, the Advanced tab change takes precedence over the modification that you made in the Timestamps tab.

Starting with highest precedence, the following list shows how combines any adjustments with the underlying default settings:

  1. Advanced tab changes
  2. Event breaks or timestamp changes
  3. Settings for the underlying source type, if any
  4. Default system settings for all source types

If you make changes in the Advanced tab and then return to the Event Breaks or Timestamps tabs, the changes are not visible from those tabs.

Review your changes

When you are ready to view the effect of your changes, click Apply settings. Splunk Web refreshes the screen, so you can review the effect of your changes on the data.

To make further changes using any of the three adjustment methods available, click Apply changes to view the effect of the changes on your data.

Save modifications as a new source type

  1. Click Save As next to the Sourcetype button.
  2. In the dialog box that appears, name your new source type, choose the Source type category in which it will appear, and the application context it uses.
    Field Description
    Name The name of the new source type.
    Description The description of the new source type.
    Category The category that the source type appears as when you click Sourcetype.
    App The app that the new source type uses.
  3. Click Save to save the source type and return to the Set Source Type page.

Next step

You have several options after you save the source type:

  • (Optional) Click Next to apply the source type to your data and proceed to the Input settings page.
  • (Optional) Click the left-pointing angle bracket (<) to go back and choose a new file to upload or monitor.
  • (Optional) Click Add data to return to the beginning of the Add Data wizard.
Last modified on 31 March, 2021
Prepare your data for preview   Modify input settings

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters