Set source type for an input
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Contents
Set source type for an input
Use these instructions to explicitly set a sourcetype for all data coming in via a specific configured input.
If you have a directory input (such as tailing /var/log/), this method assigns the same sourcetype for every file in the directory. To assign different sourcetypes for each discrete source in the same input directory, set sourcetype for a source instead.
Note: This configuration only impacts new data coming in via the input. To correct the sourcetype displayed in SplunkWeb for data that has already been indexed, create an alias instead.
via SplunkWeb
When you configure your data inputs through SplunkWeb, you can hardcode a sourcetype.
Pick from a list of sourcetypes
If your source is one of Splunk's pre-trained sourcetypes, it's a good idea to pick the same name Splunk would try to assign automatically. For a description of Splunk's pre-trained sourcetypes, see the sourcetype reference page.
Choose From list from the set source type drop down:
Use a new sourcetype name
Select Manual from the drop down menu at the bottom of the data input screen:
Input your source type name in the Source Type box.
Your events will now have that sourcetype:: value:
via configuration files
When you are configuring inputs via inputs.conf, you can set a sourcetype. Include a sourcetype = attribute within the appropriate stanza in $SPLUNK_HOME/etc/bundles/local/inputs.conf:
[tcp://:9995] connection_host = dns sourcetype = log4j source = tcp:9995
This sets any events coming from your TCP input on port 9995 as sourcetype::log4j.