Splunk - Source Types


Advertisements

All the incoming data to Splunk are first judged by its inbuilt data processing unit and classified to certain data types and categories. For example, if it is a log from apache web server, Splunk is able to recognize that and create appropriate fields out of the data read.

This feature in Splunk is called source type detection and it uses its built-in source types that are known as "pretrained" source types to achieve this.

This makes things easier for analysis as the user does not have to manually classify the data and assign any data types to the fields of the incoming data.

Supported Source Types

The supported source types in Splunk can be seen by uploading a file through the Add Data feature and then selecting the dropdown for Source Type. In the below image, we have uploaded a CSV file and then checked for all the available options.

Source Type1

Source Type Sub-Category

Even in those categories, we can further click to see all the sub categories that are supported. So when you choose the database category, you can find the different types of databases and their supported files which Splunk can recognize.

Source Type2

Pre-Trained Source Types

The below table lists some of the important pre-trained source types Splunk recognizes −

Source Type Name Nature
access_combined NCSA combined format http web server logs (can be generated by apache or other web servers)
access_combined_wcookie NCSA combined format http web server logs (can be generated by apache or other web servers), with cookie field added at end
apache_error Standard Apache web server error log
linux_messages_syslog Standard linux syslog (/var/log/messages on most platforms)
log4j Log4j standard output produced by any J2EE server using log4j
mysqld_error Standard mysql error log
Advertisements