This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Use these instructions to train Splunk to recognize a new source type, or give it new samples to better recognize a pre-trained sourcetype. This will enable Splunk to classify future files that have similar patterns as your desired source type.
You can also try bypassing auto-classification in favor of hardcoded configurations, and just set a sourcetype for an input, or set a sourcetype for a source.
These commands assume you have set a Splunk environment variable. If you have not, you must navigate to $SPLUNK_HOME/bin and run the ./splunk command.
# splunk train sourcetype $FILE_NAME $SOURCETYPE_NAME
Fill in $FILE_NAME with the entire path to your file. $SOURCETYPE_NAME is the custom sourcetype you wish to create.
It's usually a good idea to train on a few different samples for any new sourcetype so that Splunk learns how varied a sourcetype can be.