About source types and input settings for Splunk Light
- source is the file name, directory path, or network protocol and port where the data originates.
- source type is the format of the data, such as syslog, IIS, or access_combined.
- host is the machine or device where the data originates.
- index is where Splunk Light stores the data after you add it.
When you configure new data inputs, you can override the default field assignments for source type, host, and index. This topic discusses the importance of each input setting and why you might want to change them.
Understanding source and source types
The source identifies where the data originates and assigns it to the field named,
source. For data monitored from files and directories, the source is the name of the file or the full pathname of the file or directory, such as
/var/log. For a network-based input, the source is the the protocol and port, such as
UDP:514. Data can originate from one source, but have many source types.
The source type indicates the format of the data and assigns it to the field named,
sourcetype. It is important to assign the correct source type to your data for the event data to display with the correct timestamps and event breaks.
Any common data format can be a source type. Splunk Light includes predefined source types for most log formats. When you configure new data inputs, Splunk Light attempts to automatically assign the source type based on these predefined settings. You can override the setting by selecting another source type from the list, if one matches. If your data is specialized and does not match one of the predefined source types, you can create new source types and customize your event processing settings. If needed, you can assign source types based on the event, rather than based on the source.
See Why source types matter in the Splunk Enterprise Getting Data In manual.
Predefined source types
The following table lists examples of predefined source types that Splunk Light can automatically assign to the
sourcetype field when it indexes new data.
|Source type||Description||Sample Event|
|access_combined_wcookie||NCSA combined format HTTP web server logs with cookie field added at the end. This log can be generated by Apache or other web servers.|
|apache_error||Standard Apache web server error log.|
|cisco_syslog||Standard Cisco syslog produced by all Cisco network devices including PIX firewalls, routers, ACS, and so on, usually via remote syslog to a central log host.|
|websphere_activity||Websphere activity log, also often referred to as the service log.|
For the complete list, see List of pretrained source types in the Splunk Enterprise Getting Data In manual.
Overriding default host values
host field value is the typically the hostname, the IP address, or the fully qualified domain name for the machine or device where the event orginates.
Splunk Light assigns a default host value to all incoming data, if no other host rules exist for the source. When you run Splunk Light on the server generating the events, this host assignment is the server's name and should not need to be modified.
You might need to override the default host assignment for received data inputs from a Splunk Forwarder. You can define a static host value for all incoming data for this input, or you can dynamically assign the host value to a portion of the path or filename of the source. Using the path segment can be helpful when you have a directory structure that segregates each host's log archive into different sub-directories.
See About hosts in the Splunk Enterprise Getting Data In manual.
index field value specifies where the event data is stored on the Splunk Light instance after the data is added. By default, incoming data is saved to the
main index. If you want to save new data to a custom index, you first need to create the index.
The following are some reasons why you might want to have multiple indexes:
- Control user access. You might want to restrict access to data based on the user's role and permissions.
- Accommodate different retention policies. If you have different archive or retention policies for different data sets, your can create indexes to reflect these policies.
- Improve search speed. The index is a searchable field. If you typically search for events from specific inputs, you can create dedicated indexes for each data source. Then, you can specify that index when you search for that specific event.
- Analyze metrics. Metrics data is stored in a metrics index, which is a type of index that is optimized for ingestion and retrieval of metrics.
About adding data to Splunk Light
Upload a file to Splunk Light
This documentation applies to the following versions of Splunk® Light: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4