Distribute source type configurations in Splunk Enterprise
If you create source types in Splunk Cloud Platform using Splunk Web, Splunk Cloud Platform manages the source type configurations automatically. However, if you have Splunk Enterprise and manage a distributed configuration, you must distribute new source type as described in this topic.
You can use either the "Set source type" or source type management pages in Splunk Web to create new source types, which you can then assign to inputs from specific files or directories, or for network inputs. Either of these pages saves a new source type to a props.conf
configuration file on the local Splunk Enterprise instance. You can then distribute this file to other Splunk Enterprise instances so that they recognize the new source type.
You can use a new source type in a distributed environment where you have forwarders consuming data and then sending the data to indexers.
To install this new source type, follow these high-level steps:
- Distribute the
props.conf
file that contains the source type definition to the$SPLUNK_HOME/etc/system/local
directory on indexers that you want to index data with the source type you created. - Use the new source type when you define an input on forwarders that send data to those indexers.
When a forwarder sends data that has been tagged with the new source type to an indexer, the indexer can correctly process it into events.
Data preview props.conf file
When you create a source type in the "Set Sourcetype" page, the software saves the source type definition as a stanza in a props.conf file in the app that you selected when you saved the source type. If you later create additional source types, they are saved to the same props.conf
file.
For example, if you selected the "Search and Reporting" app, the file resides in $SPLUNK_HOME/etc/apps/search/local/props.conf
. The only exception is the "System" app: If you choose that app when saving the source type, the file resides in $SPLUNK_HOME/etc/system/local.
.
Note:' A Splunk Enterprise instance might have multiple versions of some configuration files, in several directories. At run-time, Splunk Enterprise combines the contents of configuration files according to a set of precedence rules. For background on how configuration files work, see About configuration files and Configuration file precedence.
Distribute props.conf to other indexers
After you create source types, you can distribute props.conf
to another Splunk Enterprise instance. That instance can then index any incoming data that you tag with the new source type.
A Splunk best practice is to place the configuration file in its own app directory on the target Splunk Enterprise instance; for example, $SPLUNK_HOME/etc/apps/custom_sourcetype/local/
.
To distribute configuration files to other Splunk instances, you can use a deployment server or another distribution tool. See the Updating Splunk Instances manual.
Note: Splunk software uses the source type definitions in props.conf
to parse incoming data into events. For this reason, you can only distribute the file to a Splunk Enterprise instance that performs parsing (either an indexer or a heavy forwarder.)
Specify the new source type in forwarder inputs
Forwarders (with the exception of the heavy forwarder) do not have Splunk Web. This means that you must configure their inputs through the CLI or the inputs.conf
configuration file. When you specify an input in that file, you can also specify its source type. For information on inputs.conf
, read the section on inputs.conf
in the Configuration file reference.
- To tag a forwarder input with a new source type, add the source type to the input stanza in
inputs.conf
. For example:
[tcp://:9995] sourcetype = new_network_type
- Confirm that all of the indexers that the forwarder sends data to have copies of the
props.conf
file that contains the source type definition fornew_network_type
. When the forwarder sends data to the indexers, they can identify the new source type and correctly format the data.
Modify input settings | Monitor files and directories |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!