Splunk Cloud Platform

Getting Data In

Distribute source type configurations in Splunk Enterprise

If you create source types in Splunk Cloud Platform using Splunk Web, Splunk Cloud Platform manages the source type configurations automatically. However, if you have Splunk Enterprise and manage a distributed configuration, you must distribute new source type as described in this topic.

You can use either the "Set source type" or source type management pages in Splunk Web to create new source types, which you can then assign to inputs from specific files or directories, or for network inputs. Either of these pages saves a new source type to a props.conf configuration file on the local Splunk Enterprise instance. You can then distribute this file to other Splunk Enterprise instances so that they recognize the new source type.

You can use a new source type in a distributed environment where you have forwarders consuming data and then sending the data to indexers.

To install this new source type, follow these high-level steps:

  1. Distribute the props.conf file that contains the source type definition to the $SPLUNK_HOME/etc/system/local directory on indexers that you want to index data with the source type you created.
  2. Use the new source type when you define an input on forwarders that send data to those indexers.

When a forwarder sends data that has been tagged with the new source type to an indexer, the indexer can correctly process it into events.

Data preview props.conf file

When you create a source type in the "Set Sourcetype" page, the software saves the source type definition as a stanza in a props.conf file in the app that you selected when you saved the source type. If you later create additional source types, they are saved to the same props.conf file.

For example, if you selected the "Search and Reporting" app, the file resides in $SPLUNK_HOME/etc/apps/search/local/props.conf. The only exception is the "System" app: If you choose that app when saving the source type, the file resides in $SPLUNK_HOME/etc/system/local..

Note:' A Splunk Enterprise instance might have multiple versions of some configuration files, in several directories. At run-time, Splunk Enterprise combines the contents of configuration files according to a set of precedence rules. For background on how configuration files work, see About configuration files and Configuration file precedence.

Distribute props.conf to other indexers

After you create source types, you can distribute props.conf to another Splunk Enterprise instance. That instance can then index any incoming data that you tag with the new source type.

A Splunk best practice is to place the configuration file in its own app directory on the target Splunk Enterprise instance; for example, $SPLUNK_HOME/etc/apps/custom_sourcetype/local/.

To distribute configuration files to other Splunk instances, you can use a deployment server or another distribution tool. See the Updating Splunk Instances manual.

Note: Splunk software uses the source type definitions in props.conf to parse incoming data into events. For this reason, you can only distribute the file to a Splunk Enterprise instance that performs parsing (either an indexer or a heavy forwarder.)

Specify the new source type in forwarder inputs

Forwarders (with the exception of the heavy forwarder) do not have Splunk Web. This means that you must configure their inputs through the CLI or the inputs.conf configuration file. When you specify an input in that file, you can also specify its source type. For information on inputs.conf, read the section on inputs.conf in the Configuration file reference.

  1. To tag a forwarder input with a new source type, add the source type to the input stanza in inputs.conf. For example:
    sourcetype = new_network_type
  2. Confirm that all of the indexers that the forwarder sends data to have copies of the props.conf file that contains the source type definition for new_network_type. When the forwarder sends data to the indexers, they can identify the new source type and correctly format the data.
Last modified on 27 October, 2021
Modify input settings   Monitor files and directories

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters