Sourcetypes Gone Wild

HELP, I have 515 sourcetypes!

Splunk can help bring order to the chaos of IT systems.  But when Splunk itself is in disarray it can hinder your powers of search and put a serious damper on your Splunk experience.  Giving Splunk a few pointers can make a big difference.

Because it can index anything, it is tempting to let Splunk loose on your entire data repository and expect it to sort it all out automatically.  We are working on a better setup and getting started experience, but until then Splunk can’t read your mind.  For now, it can definitely use a bit of coaching.

Without coaching you could end up with non-descriptive sourcetypes called ‘breakable_text’ or ‘too_small’ or better yet hundreds of sourcetypes–sourcetypes gone wild. To whip things into submission, simply add rules for applying sourcetype.

Woah, backup the trolley.  What is a sourcetype?

A sourcetype is Splunk’s term for data of a specific format.  For example, http access logs are known as access_common or access_combined.  Splunk ships with a set of sourcetypes, which means there are pre-configured rules for recognizing timestamps/field extractions/line breaking.  You can also define your own sourcetypes.  Rules can be applied to the default or any new sourcetypes created.  For more on sourcetypes:

So what?  Why should I care?

If you want to find the links on your website which are broken, then having sensible sourcetypes will allow you focus on just the http access logs and not your database logs or syslog or your mama’s logs.

If you are auditing access to your database cluster, then it’s really not important to search anything but your database logs.  Having well-organized sourcetypes will filter out the noise.

With sourcetypes under control, searches on http access data can start out with “sourcetype=access_common.”  It’s just one more way to pivot on all the events in your Splunk datastore.

Scenario 1: The logs are scattered in different directories.

Your directory structure looks something like this:


Easy peasy.  Add the inputs one at a time, and specify a sourcetype during setup.  This can be done in the SplunkWeb Manager, or via inputs.conf:

sourcetype = access_common

sourcetype = weblogic_stdout

sourcetype = db2_diag

sourcetype = mycustomsourcetype

Scenario 2: All the log files are belong in a single directory.

Your directory structure looks more like this:


First, define a single input for the parent directory, then add rules to apply sourcetype.  This currently cannot be done using the SplunkWeb Manager entirely.  The sourcetyping rules are added by editing props.conf.

In inputs.conf:


In props.conf:

sourcetype = access_common

sourcetype = websphere_out

sourcetype = db2_diag

sourcetype = mycustomsourcetype

Scenario 3: The logs are stored in arbitrarily nested subdirectories, say by host.  It’s really a combination of Scenario 1 and 2.

Your directory structure looks something like this:


The answer is the same as the one for Scenario 2.  The point is no matter how your directories and files are nested, you can set sourcetype rules using the name of the file.

Scenario 4: The same log or data stream contains different types of events, and thus differing event formats.

This is ugly logging practice and should be avoided. We do understand, however, as Splunk Admins you may not always have influence over how data is collected and how it’s formatted. So here goes…

Consider a sample snippet from a single source containing at least 2 differing event formats:

Example file /path/to/sample.log:

Jun 24 12:21:36 %PIX-6-302016: Teardown UDP connection 12345 for INET: to inside: duration 0:00:01 bytes 265
Jun 24 15:57:12 %PIX-6-302016: Teardown UDP connection 678910 for INET: to inside: duration 0:00:01 bytes 265
Jun 24 18:34:45 sshd(pam_unix)[17188]: session closed for user footer
Jun 24 19:36:19 su(pam_unix)[9795]: session opened for user foobar by (uid=0)

The first 2 events are Cisco PIX events while the last 2 are plain syslog events. To assign the 2 types of events to 2 separate sourcetypes the configuration will look something like the following.

In props.conf:

TRANSFORMS-yummy = setCPSourcetype, setSyslogSourcetype

In transforms.conf:

DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco-pix

DEST_KEY = MetaData:Sourcetype
REGEX = \w+ \d+ \d+:\d+:\d+ \S+ \w+\[\d+\]:
FORMAT = sourcetype::syslog

The use of the DEST_KEY parameter instructs Splunk to rewrite the default sourcetype field to the new value in the FORMAT parameter. The REGEX parameter needs to be flexible enough to capture all events of a particular format but restrictive enough to only capture events of the particular format. Scenario 4 is fairly uncommon, but it is included here for completeness.

Happy Sourcetyping

Don’t forget to restart Splunk after applying these changes to inputs.conf or props.conf. I hope this adventure in sourcetyping helps you on your way to a less unruly and more orderly Splunk.

Vi Ly
Posted by

Vi Ly

Join the Discussion