Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

Manage source types

Source types let you categorize your data for easier searching. To learn about source types, see Why source types matter in the Getting Data In manual.

You can add new source types in the Add-on Builder:

  • By creating a new source type and uploading sample data from one or more files for this source type.
  • By importing an existing source type from the Splunk platform.

Add a new source type

  1. On your add-on homepage, click Manage Source Types on the Add-on Builder navigation bar.
  2. On the Manage Source Types page, click Add and then New Source Type.
  3. Enter a unique source type name.
  4. Click Upload Data.
  5. Select the sample data file, then click Open.
  6. The preview displays the first 1000 events from the first 2MB of data.

  7. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how events for the data in this source type should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.
  8. Click Save.
  9. Sample events are stored in a dedicated "add_on_builder_index" index.

Import an existing source type

  1. On your add-on homepage, click Manage Source Types on the Add-on Builder navigation bar.
  2. On the Manage Source Types page, click Add and then Import From Splunk.
  3. Select a source type from the drop-down list.
  4. (Optional) Click Upload Data, select the sample data file, then click Open.
  5. The preview displays the first 1000 events from the first 2MB of data.

  6. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option to indicate how events should be separated:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option to indicate how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.
  7. Click Save.

Edit an existing source type

  1. On your add-on homepage, click Manage Source Type on the Add-on Builder navigation bar.
  2. Click Edit on the source type you want to edit.
  3. (Optional) Click Upload Data, navigate to and select the sample data file, then click Open.
  4. The preview displays the first 1000 events from the first 2MB of data.

  5. Adjust indexing settings as needed:
    • Expand the Event Breaks section and select an option that indicates how to separate events:
      • Auto: Events are auto-detected based on their timestamp location.
      • Every Line: Every line is one event.
      • Regex: Use a regular expression to define a pattern to split events.
    • Expand the Timestamp section and select an option that indicates how to generate timestamps for the data.
    • Expand the Advanced section to specify additional index-time parameters for parsing data.

Learn more

Last modified on 13 June, 2022
Create a setup page   Extract fields

This documentation applies to the following versions of Splunk® Add-on Builder: 4.1.1, 4.1.2, 4.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters