
About source types and input settings for Splunk Light
Splunk Light assigns a set of default fields to all incoming data as it indexes each event. These default fields include the source, source type, host, and index.
- source is the file name, directory path, or network protocol and port where the data originates.
- source type is the format of the data, such as syslog, IIS, or access_combined.
- host is the machine or device where the data originates.
- index is where Splunk Light stores the data after you add it.
When you configure new data inputs, you can override the default field assignments for source type, host, and index. This topic discusses the importance of each input setting and why you might want to change them.
Understanding source and source types
The source identifies where the data originates and assigns it to the field named, source
. For data monitored from files and directories, the source is the name of the file or the full pathname of the file or directory, such as errorlog.txt
or /var/log
. For a network-based input, the source is the the protocol and port, such as UDP:514
. Data can originate from one source, but have many source types.
The source type indicates the format of the data and assigns it to the field named, sourcetype
. It is important to assign the correct source type to your data for the event data to display with the correct timestamps and event breaks.
Any common data format can be a source type. Splunk Light includes predefined source types for most log formats. When you configure new data inputs, Splunk Light attempts to automatically assign the source type based on these predefined settings. You can override the setting by selecting another source type from the list, if one matches. If your data is specialized and does not match one of the predefined source types, you can create new source types and customize your event processing settings. If needed, you can assign source types based on the event, rather than based on the source.
See Why source types matter in the Splunk Enterprise Getting Data In manual.
Predefined source types
The following table lists examples of predefined source types that Splunk Light can automatically assign to the sourcetype
field when it indexes new data.
Source type | Description | Sample Event |
---|---|---|
access_combined_wcookie | NCSA combined format HTTP web server logs with cookie field added at the end. This log can be generated by Apache or other web servers. | "66.249.66.102.1124471045570513" 59.92.110.121 - - [19/Aug/2005:10:04:07 -0700] "GET /themes/splunk_com/images/logo_splunk.png HTTP/1.1" 200 994 "http://www.splunk.org/index.php/docs" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4" "61.3.110.148.1124404439914689"
|
apache_error | Standard Apache web server error log. | [Sun Aug 7 12:17:35 2005] [error] [client 10.1.1.015] File does not exist: /home/reba/public_html/images/bullet_image.gif
|
cisco_syslog | Standard Cisco syslog produced by all Cisco network devices including PIX firewalls, routers, ACS, and so on, usually via remote syslog to a central log host. | Sep 14 10:51:11 stage-test.splunk.com Aug 24 2005 00:08:49: %PIX-2-106001: Inbound TCP connection denied from IP_addr/port to IP_addr/port flags TCP_flags on interface int_name Inbound TCP connection denied from 144.1.10.222/9876 to 10.0.253.252/6161 flags SYN on interface outside
|
websphere_activity | Websphere activity log, also often referred to as the service log. | -------------------------------------- ComponentId: Application Server ProcessId: 2580 ThreadId: 0000001c ThreadName: Non-deferrable Alarm : 3 SourceId: com.ibm.ws.channel.framework.impl. WSChannelFrameworkImpl ClassName: MethodName: Manufacturer: IBM Product: WebSphere Version: Platform 6.0 [BASE 6.0.1.0 o0510.18] ServerName: nd6Cell01\was1Node01\TradeServer1 TimeStamp: 2005-07-01 13:04:55.187000000 UnitOfWork: Severity: 3 Category: AUDIT PrimaryMessage: CHFW0020I: The Transport Channel Service has stopped the Chain labeled SOAPAcceptorChain2 ExtendedMessage: -------------------------------------------
|
For the complete list, see List of pretrained source types in the Splunk Enterprise Getting Data In manual.
Overriding default host values
An event's host
field value is the typically the hostname, the IP address, or the fully qualified domain name for the machine or device where the event orginates.
Splunk Light assigns a default host value to all incoming data, if no other host rules exist for the source. When you run Splunk Light on the server generating the events, this host assignment is the server's name and should not need to be modified.
You might need to override the default host assignment for received data inputs from a Splunk Forwarder. You can define a static host value for all incoming data for this input, or you can dynamically assign the host value to a portion of the path or filename of the source. Using the path segment can be helpful when you have a directory structure that segregates each host's log archive into different sub-directories.
See About hosts in the Splunk Enterprise Getting Data In manual.
Customizing indexes
The index
field value specifies where the event data is stored on the Splunk Light instance after the data is added. By default, incoming data is saved to the main
index. If you want to save new data to a custom index, you first need to create the index.
The following are some reasons why you might want to have multiple indexes:
- Control user access. You might want to restrict access to data based on the user's role and permissions.
- Accommodate different retention policies. If you have different archive or retention policies for different data sets, your can create indexes to reflect these policies.
- Improve search speed. The index is a searchable field. If you typically search for events from specific inputs, you can create dedicated indexes for each data source. Then, you can specify that index when you search for that specific event.
- Analyze metrics. Metrics data is stored in a metrics index, which is a type of index that is optimized for ingestion and retrieval of metrics.
See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual, and Get started with metrics in the Splunk Enterprise Metrics manual.
PREVIOUS About adding data to Splunk Light |
NEXT Upload a file to Splunk Light |
This documentation applies to the following versions of Splunk® Light (Legacy): 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6
Feedback submitted, thanks!