Create source types
You can create new source types on the Splunk platform in several ways:
- Use the Set Source Type page in Splunk Web as part of adding the data.
- Create a source type in the Source types management page, as described in Add Source Type.
- Edit the props.conf configuration file. This option isn't available on Splunk Cloud Platform unless you define the source types on a universal forwarder and send them to Splunk Cloud Platform.
Although you can configure individual forwarders to create source types by editing the configuration files that reside on the forwarders, a best practice for creating source types is to use Splunk Web to guarantee that source types are consistent across your Splunk platform deployment.
Set the source type as part of creating a data input in Splunk Web
The Set Source Type page in Splunk Web lets you view the effects of applying a source type to your data. It also lets you make adjustments to the source type settings as necessary. You can save your changes as a new source type, which you can then assign to data inputs.
The page lets you make the most common types of adjustments to timestamps and event breaks. For other modifications, it lets you edit the underlying props.conf file directly. As you change settings, you can immediately see how the changes affect the event data.
The page appears only when you specify or upload a single file. It doesn't appear when you specify any other type of data source.
To learn more about the Set Source Type page and how to assign source types to your data, see Assign the correct source types to your data.
You can also use the Source types management page to create a new source type. See Add Source Type.
Edit the props.conf configuration file to create a source type
If you use Splunk Enterprise, you can create a new source type by editing the props.conf configuration file and adding a new source type stanza. For detailed information on the props.conf file, read the props.conf specification in the Splunk Enterprise Admin Manual. For information on configuration files in general, see About configuration files in the the Splunk Enterprise Admin Manual.
The following entry is an example of an entry in the props.conf file. This entry defines the
access_combined source type and then assigns that source type to files that match the specified source. You can configure multiple files or directories in a source by using a regular expression.
[access_combined] pulldown_type = true maxDist = 28 MAX_TIMESTAMP_LOOKAHEAD = 128 REPORT-access = access-extractions SHOULD_LINEMERGE = False TIME_PREFIX = \[ category = Web description = National Center for Supercomputing Applications (NCSA) combined fo rmat HTTP web server logs (can be generated by apache or other web servers) [source::/opt/weblogs/apache.log] sourcetype = access_combined
To edit the props.conf file, follow these steps:
- On the machine where you want to create a source type, create the $SPLUNK_HOME/etc/system/local/props.conf file if it doesn't already exist.
You might need to create the local directory. If you use an app, go to the app in the $SPLUNK_HOME/etc/apps directory.
- Using a text editor, open the the props.conf file in $SPLUNK_HOME/etc/system/local directory.
- Add a stanza for the new source type and specify any settings that Splunk software is to use when handling the source type.
[my_sourcetype] setting1 = value setting2 = value
See the props.conf specification in the Splunk Enterprise Admin Manual for a list of settings.
- (Optional) If you know the name of the file to which the source type is to be applied, specify them in the
[my_sourcetype] setting1 = value setting2 = value <br> [source::.../my/logfile.log] sourcetype = my_sourcetype
- Save the props.conf file.
- Restart Splunk Enterprise. The new source types take effect after the restart completes.
Specify event breaks and time stamps
When you create a source type, there are some important settings to specify:
- Event breaks: To learn how to use the props.conf file to specify event breaks, see Configure event line breaking.
- Timestamps: To learn how to use the props.conf file to specify timestamps, see Configure timestamp recognition, as well as other topics in the Configure timestamps chapter of this manual.
There are also a number of additional settings that you can configure for event breaks and time stamps. See the props.conf specification in the Splunk Enterprise Admin Manual for more information.
Override source types on a per-event basis
Manage source types
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2105, 8.2.2106, 8.2.2109, 8.2.2107, 8.2.2111, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203 (latest FedRAMP release), 9.0.2205, 9.0.2208