All the incoming data to Splunk are first judged by its inbuilt data processing unit and classified to certain data types and categories. For example, if it is a log from apache web server, Splunk is able to recognize that and create appropriate fields out of the data read.
This feature in Splunk is called source type detection and it uses its built-in source types that are known as “pretrained” source types to achieve this.
This makes things easier for analysis as the user does not have to manually classify the data and assign any data types to the fields of the incoming data.
Supported Source Types
The supported source types in Splunk can be seen by uploading a file through the Add Data feature and then selecting the dropdown for Source Type. In the below image, we have uploaded a CSV file and then checked for all the available options.
Source Type Sub-Category
Even in those categories, we can further click to see all the sub categories that are supported. So when you choose the database category, you can find the different types of databases and their supported files which Splunk can recognize.
Pre-Trained Source Types
The below table lists some of the important pre-trained source types Splunk recognizes −
| Source Type Name | Nature |
|---|---|
| access_combined | NCSA combined format http web server logs (can be generated by apache or other web servers) |
| access_combined_wcookie | NCSA combined format http web server logs (can be generated by apache or other web servers), with cookie field added at end |
| apache_error | Standard Apache web server error log |
| linux_messages_syslog | Standard linux syslog (/var/log/messages on most platforms) |
| log4j | Log4j standard output produced by any J2EE server using log4j |
| mysqld_error | Standard mysql error log |