Splunk® Light (Legacy)

Getting Started Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About source types and input settings for Splunk Light

Splunk Light assigns a set of default fields to all incoming data as it indexes each event. These default fields include the source, source type, host, and index.

  • source is the file name, directory path, or network protocol and port where the data originates.
  • source type is the format of the data, such as syslog, IIS, or access_combined.
  • host is the machine or device where the data originates.
  • index is where Splunk Light stores the data after you add it.

When you configure new data inputs, you can override the default field assignments for source type, host, and index. This topic discusses the importance of each input setting and why you might want to change them.

Understanding source and source types

The source identifies where the data originates and assigns it to the field named, source. For data monitored from files and directories, the source is the name of the file or the full pathname of the file or directory, such as errorlog.txt or /var/log. For a network-based input, the source is the the protocol and port, such as UDP:514. Data can originate from one source, but have many source types.

The source type indicates the format of the data and assigns it to the field named, sourcetype. It is important to assign the correct source type to your data for the event data to display with the correct timestamps and event breaks.

Any common data format can be a source type. Splunk Light includes predefined source types for most log formats. When you configure new data inputs, Splunk Light attempts to automatically assign the source type based on these predefined settings. You can override the setting by selecting another source type from the list, if one matches. If your data is specialized and does not match one of the predefined source types, you can create new source types and customize your event processing settings. If needed, you can assign source types based on the event, rather than based on the source.

See Why source types matter in the Splunk Enterprise Getting Data In manual.

Predefined source types

The following table lists examples of predefined source types that Splunk Light can automatically assign to the sourcetype field when it indexes new data.

Source type Description Sample Event
access_combined_wcookie NCSA combined format HTTP web server logs with cookie field added at the end. This log can be generated by Apache or other web servers. "66.249.66.102.1124471045570513" 59.92.110.121 - - [19/Aug/2005:10:04:07 -0700] "GET /themes/splunk_com/images/logo_splunk.png HTTP/1.1" 200 994 "http://www.splunk.org/index.php/docs" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4" "61.3.110.148.1124404439914689"
apache_error Standard Apache web server error log. [Sun Aug 7 12:17:35 2005] [error] [client 10.1.1.015] File does not exist: /home/reba/public_html/images/bullet_image.gif
cisco_syslog Standard Cisco syslog produced by all Cisco network devices including PIX firewalls, routers, ACS, and so on, usually via remote syslog to a central log host. Sep 14 10:51:11 stage-test.splunk.com Aug 24 2005 00:08:49: %PIX-2-106001: Inbound TCP connection denied from IP_addr/port to IP_addr/port flags TCP_flags on interface int_name Inbound TCP connection denied from 144.1.10.222/9876 to 10.0.253.252/6161 flags SYN on interface outside
websphere_activity Websphere activity log, also often referred to as the service log. -------------------------------------- ComponentId: Application Server ProcessId: 2580 ThreadId: 0000001c ThreadName: Non-deferrable Alarm : 3 SourceId: com.ibm.ws.channel.framework.impl. WSChannelFrameworkImpl ClassName: MethodName: Manufacturer: IBM Product: WebSphere Version: Platform 6.0 [BASE 6.0.1.0 o0510.18] ServerName: nd6Cell01\was1Node01\TradeServer1 TimeStamp: 2005-07-01 13:04:55.187000000 UnitOfWork: Severity: 3 Category: AUDIT PrimaryMessage: CHFW0020I: The Transport Channel Service has stopped the Chain labeled SOAPAcceptorChain2 ExtendedMessage: -------------------------------------------

For the complete list, see List of pretrained source types in the Splunk Enterprise Getting Data In manual.

Overriding default host values

An event's host field value is the typically the hostname, the IP address, or the fully qualified domain name for the machine or device where the event orginates.

Splunk Light assigns a default host value to all incoming data, if no other host rules exist for the source. When you run Splunk Light on the server generating the events, this host assignment is the server's name and should not need to be modified.

You might need to override the default host assignment for received data inputs from a Splunk Forwarder. You can define a static host value for all incoming data for this input, or you can dynamically assign the host value to a portion of the path or filename of the source. Using the path segment can be helpful when you have a directory structure that segregates each host's log archive into different sub-directories.

See About hosts in the Splunk Enterprise Getting Data In manual.

Customizing indexes

The index field value specifies where the event data is stored on the Splunk Light instance after the data is added. By default, incoming data is saved to the main index. If you want to save new data to a custom index, you first need to create the index.

The following are some reasons why you might want to have multiple indexes:

  • Control user access. You might want to restrict access to data based on the user's role and permissions.
  • Accommodate different retention policies. If you have different archive or retention policies for different data sets, your can create indexes to reflect these policies.
  • Improve search speed. The index is a searchable field. If you typically search for events from specific inputs, you can create dedicated indexes for each data source. Then, you can specify that index when you search for that specific event.
  • Analyze metrics. Metrics data is stored in a metrics index, which is a type of index that is optimized for ingestion and retrieval of metrics.


See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual, and Get started with metrics in the Splunk Enterprise Metrics manual.

Last modified on 07 September, 2017
PREVIOUS
About adding data to Splunk Light 		  NEXT
Upload a file to Splunk Light

This documentation applies to the following versions of Splunk® Light (Legacy): 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters