![]() ![]() The Splunk platform uses a variety of methods to assign source types to event data at index time. How the Splunk platform assigns source types For example, you can search sourcetype=weblogic_stdout to find all of your WebLogic server events, even when WebLogic is logging from more than one domain, or host in Splunk terms. You can use the sourcetype field to find similar types of data from any source type. Sourcetype is the name of the source type search field. For information on how data preview functions as a source type editor, see Use the Set Source Type page. You can also edit timestamp and event breaking settings interactively and then save the modifications as a new source type. It lets you preview the resulting events without actually committing them to an index. Splunk Web lets you review the effects of applying a source type to an input. Preview data to test and modify source types If you use Splunk Cloud Platform, use Splunk Web or Apps to define source types. In essence, it's a visual source type editor. Splunk Web lets you adjust source type settings to fit your data. If none of the existing source types fits the needs of your data, create a new one. Configure rule-based source type recognitionįor more information about how the Splunk platform assigns source types, see How the Splunk platform assigns source types.Override source types on a per-event basis.Override automatic source type assignment. #Splunk join with different sourcetype how toFor details on how to improve source type assignment, see the following topics: You usually do this when you define the data input. In some cases, however, you might need to explicitly assign a source type to your data. In most cases, the Splunk platform determines the best source type for your data and automatically assigns it to incoming events.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |