Using source types to break and merge data in Edge Processors
The source type is one of the default fields that Splunk software assigns to events. It identifies the kind of data that you are working with and indicates the original source of the data.
In the Edge Processor service, you can create source type configurations and use them to specify the following behavior:
- How your Edge Processors break and merge the inbound stream of data into distinct events. The event breaking and merging operations defined in your source type configurations are applied to inbound data if it meets the following criteria:
- The
sourcetype
value of an event matches the name of a source type configuration in the Edge Processor service. - The inbound data isn't already event-broken through other means, such as by the
EVENT_BREAKER
configuration in a universal forwarder.
- The
- What data a pipeline processes. When you create a pipeline, you select a source type. The pipeline processes only the events that have a matching
sourcetype
value.
By default, the Edge Processor solution includes event breaking and merging configurations for a variety of common source types. See Automatically recognized source types in the Splunk Cloud Platform Getting Data In manual for a list of default source types. If the source type that you want to work with is not listed, then you must add and configure that source type in the Edge Processor service. You can also edit the default source types to meet your needs.
See the following pages for more information:
Route internal logs from forwarders using an Edge Processor | Add source types for Edge Processors |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!