Sourcetype manager is another very useful provision added in Splunk 6.3, which can be used to manage the sourcetype for on-boarding the data on Splunk. It can be used to manage (create, modify, and delete) sourcetype configurations independent of getting data in and searching within the sourcetype picker. We have already learned in the Chapter 2, Developing Application on Splunk about how to assign and configure sourcetype while uploading the data on Splunk.
Sourcetype manager enlists all the sourcetype configured in the Splunk instance along with the inbuilt default sourcetypes. The sourcetype manager can be accessed by navigating in the Splunk Web console to Settings | Data | Sourcetype.
Now let us learn what can be done from the sourcetype manager:
- Create a sourcetype: In previous versions of Splunk when sourcetype manager was not present to create a sourcetype, first we needed to add data to Splunk or else the
inputs.conffile needed to be configured manually.Using the sourcetype manager, a new sourcetype can be created by clicking the New Sourcetype button on the top right of the page. This option helps to create a new sourcetype, along with configuration settings, as shown in the following image:
When creating a sourcetype, the following options can be configured:
- The name and description of the sourcetype.
- The app to which the sourcetype is to be associated by selecting the app name from the dropdown list.
- The category can be chosen depending upon the source of the data so that pre-configured settings automatically get applied to the current sourcetype.
- Indexed extraction for extraction of fields can be chosen in the respective format if the data is any of the predefined formats like CSV, PSV, TSV, JSON, or W3C.
- Apart from choosing the pre-default options to apply pre-configured settings, manual settings can also be configured for event breaking, timestamping, and other advanced configurations, which will applied while uploading data on Splunk.
- Modifying sourcetype: Modifying various configurations can be done from the Sourcetype Manager page itself. Apart from the in-built sourcetype, the destination app can be changed along with category, event breaks, time stamping, and so on.
- Deleting sourcetype: In previous versions of Splunk, for deleting a sourcetype, there was no direct interface from the web console. It was done by running Splunk CLI commands. Now in Splunk 6.3, sourcetype can be deleted from the Sourcetype Manager page by clicking on the appropriate Delete button. Deleting the sourcetype could have adverse effects on the data associated with the sourcetype and also if any new data is associated with the sourcetype. Hence, deleting the sourcetype should done carefully.