List of pretrained source types
Splunk software ships with built-in or pretrained source types that it uses to parse incoming data into events.
The Splunk platform can automatically recognize and assign many of these pretrained source types to incoming data. You can also manually assign pretrained source types that the Splunk platform doesn't recognize automatically. To assign source types manually, see Override automatic source type assignment.
From a heavy or universal forwarder, you can also configure source types from the inputs.conf configuration file. If you use Splunk Enterprise, you can assign source types from either Splunk Web or from the inputs.conf file.
Use a pretrained source type if it matches your data, as the Splunk platform already knows how to properly index pretrained source types. If your data doesn't fit any pretrained source types, you can create your own source types. See Create source types. The Splunk platform can also index virtually any format of data even without custom properties.
Automatically recognized source types
The following table shows automatically recognized source types:
|access_combined||NCSA combined format http web server logs. Can be generated by Apache or other web servers.|
|access_combined_wcookie||NCSA combined format http web server logs. Can be generated by Apache or other web servers, with cookie field added at the end.|
|access_common||NCSA common format http web server logs. Can be generated by Apache or other web servers.|
|apache_error||Standard Apache web server error log|
|asterisk_cdr||Standard Asterisk IP PBX call detail record|
|asterisk_event||Standard Asterisk event log (management events)|
|asterisk_messages||Standard Asterisk messages log (errors and warnings)|
|asterisk_queue||Standard Asterisk queue log|
|cisco_syslog||Standard Cisco syslog produced by all Cisco network devices including PIX firewalls, routers, ACS, and so on. Usually through remote syslog to a central log host.|
|db2_diag||Standard IBM DB2 database administrative and error log|
|exim_main||Exim MTA mainlog|
|exim_reject||Exim reject log|
|linux_messages_syslog||Standard Linux syslog, located at /var/log/messages on most platforms|
|linux_secure||Red Hat, Debian, and equivalent distributions Linux authentication log|
|log4j||Log4j standard output produced by any J2EE server using log4j|
|mysqld_error||Standard MySQL error log|
|mysqld||Standard MySQL query log that also matches the MySQL binary log following conversion to text|
|postfix_syslog||Standard Postfix MTA log reported through the *nix syslog facility|
|sendmail_syslog||Standard Sendmail MTA log reported through the *nix syslog facility|
|sugarcrm_log4php||Standard Sugarcrm activity log reported using the log4php utility|
|weblogic_stdout||Weblogic server log in the standard native BEA format|
|websphere_activity||Websphere activity log, also often referred to as the service log|
|websphere_core||Core file export from Websphere|
|websphere_trlog_syserr||Standard Websphere system error log in the IBM native trlog format|
|websphere_trlog_sysout||Standard Websphere system out log in the IBM native trlog format. Similar to the log4j server log for Resin and Jboss. Sample format as the system error log but contains lower severity and informational events.|
|windows_snare_syslog||Standard windows event log reported through a third-party Intersect Alliance Snare agent to remote syslog on a *nix server|
Special source types
The following table shows the special source types:
|known_binary||The file name matches a pattern generally known as that of a binary file, not a log file||MP3 files, images, .rdf files, .dat files, and other obvious non-text files|
Pretrained source types
These following table shows pretrained source types, including both those that are automatically recognized and those that are not:
|Application servers||log4j, log4php, weblogic_stdout, websphere_activity, websphere_core, websphere_trlog, catalina, ruby_on_rails|
|Databases||db2_diag, mysqld, mysqld_error, mysqld_bin, mysql_slow|
|exim_main, exim_reject, postfix_syslog, sendmail_syslog, procmail|
|Operating systems||linux_messages_syslog, linux_secure, linux_audit, linux_bootlog, anaconda, anaconda_syslog, osx_asl, osx_crashreporter, osx_crash_log, osx_install, osx_secure, osx_daily, osx_weekly, osx_monthly, osx_window_server, windows_snare_syslog, dmesg, ftp, ssl_error, syslog, sar, rpmpkgs|
|Metrics||collectd_http, metrics_csv, statsd|
|Printers||cups_access, cups_error, spooler|
|Routers and firewalls||cisco_cdr, cisco:asa, cisco_syslog, clavister|
|VoIP||asterisk_cdr, asterisk_event, asterisk_messages, asterisk_queue|
|Web servers||access_combined, access_combined_wcookie, access_common, apache_error, iis*|
|Splunk software||splunk_com_php_error, splunkd, splunkd_crash_log, splunkd_misc, splunkd_stderr, splunk-blocksignature, splunk_directory_monitor, splunk_directory_monitor_misc, splunk_search_history, splunkd_remote_searches, splunkd_access, splunkd_ui_access, splunk_web_access, splunk_web_service, splunkd_conf*, django_access, splunk_help, mongod|
|Non-log files||csv*, psv*, tsv*, _json*, json_no_timestamp, fs_notification, exchange*, generic_single_line|
|Miscellaneous||snort, splunk_disk_objects*, splunk_resource_usage*, kvstore*|
The source types marked with an asterisk ( * ) use the
INDEXED_EXTRACTIONS attribute, which sets other attributes in props.conf to specific defaults and requires special handling to forward to another Splunk platform instance. See Forward fields extracted from structured data files.
Learn a source type configuration
To find out what configuration information the Splunk platform uses to index a given source type, you can use the
btool utility to show the properties on your forwarder. If you use Splunk Enterprise, you can do this on your Splunk Enterprise instance.
For more information on using
btool, refer to Use btool to troubleshoot configurations in the Troubleshooting Manual.
The following example shows how to list out the configuration for the
tcp source type:
$ ./splunk btool props list tcp [tcp] BREAK_ONLY_BEFORE = (=\+)+ BREAK_ONLY_BEFORE_DATE = True CHARSET = UTF-8 DATETIME_CONFIG = /etc/datetime.xml KV_MODE = none LEARN_SOURCETYPE = true MAX_DAYS_AGO = 2000 MAX_DAYS_HENCE = 2 MAX_DIFF_SECS_AGO = 3600 MAX_DIFF_SECS_HENCE = 604800 MAX_EVENTS = 256 MAX_TIMESTAMP_LOOKAHEAD = 128 MUST_BREAK_AFTER = MUST_NOT_BREAK_AFTER = MUST_NOT_BREAK_BEFORE = REPORT-tcp = tcpdump-endpoints, colon-kv SEGMENTATION = inner SEGMENTATION-all = full SEGMENTATION-inner = inner SEGMENTATION-outer = foo SEGMENTATION-raw = none SEGMENTATION-standard = standard SHOULD_LINEMERGE = True TRANSFORMS = TRANSFORMS-baindex = banner-index TRANSFORMS-dlindex = download-index TRUNCATE = 10000 maxDist = 100 pulldown_type = true
Configure rule-based source type recognition
Override source types on a per-event basis
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209 (latest FedRAMP release), 8.2.2106, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208
Feedback submitted, thanks!