topic How do I test sourcetyping before I index in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-do-I-test-sourcetyping-before-I-index/m-p/75721#M15455 <P>How can I see how Splunk is going to handle a particular dataset BEFORE I actually input? For example: If I monitor a log what sourcetype is splunk going to tag the events with?</P> Wed, 06 Apr 2011 23:22:44 GMT rroberts 2011-04-06T23:22:44Z How do I test sourcetyping before I index https://community.splunk.com/t5/Getting-Data-In/How-do-I-test-sourcetyping-before-I-index/m-p/75721#M15455 <P>How can I see how Splunk is going to handle a particular dataset BEFORE I actually input? For example: If I monitor a log what sourcetype is splunk going to tag the events with?</P> Wed, 06 Apr 2011 23:22:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-test-sourcetyping-before-I-index/m-p/75721#M15455 rroberts 2011-04-06T23:22:44Z Re: How do I test sourcetyping before I index https://community.splunk.com/t5/Getting-Data-In/How-do-I-test-sourcetyping-before-I-index/m-p/75722#M15456 <P>Check the CLI test. From $SPLUNK_HOME/bin Check help for test... ./splunk test help ./splunk test sourcetype </P> <P>Example:</P> <P>./splunk test sourcetype /opt/tradelog/trade_entries.log</P> <P>PROPERTIES OF /opt/log/tradelog/trade_entries.log<BR /> Attr:ANNOTATE_PUNCT True<BR /> Attr:BREAK_ONLY_BEFORE<BR /> Attr:BREAK_ONLY_BEFORE_DATE True<BR /> Attr:CHARSET UTF-8<BR /> Attr:DATETIME_CONFIG /etc/datetime.xml<BR /> Attr:HEADER_MODE<BR /> Attr:LEARN_SOURCETYPE true<BR /> Attr:LINE_BREAKER_LOOKBEHIND 100<BR /> Attr:MAX_DAYS_AGO 2000<BR /> Attr:MAX_DAYS_HENCE 2<BR /> Attr:MAX_DIFF_SECS_AGO 3600<BR /> Attr:MAX_DIFF_SECS_HENCE 604800<BR /> Attr:MAX_EVENTS 256<BR /> Attr:MAX_TIMESTAMP_LOOKAHEAD 44<BR /> Attr:MUST_BREAK_AFTER<BR /> Attr:MUST_NOT_BREAK_AFTER<BR /> Attr:MUST_NOT_BREAK_BEFORE<BR /> Attr:SEGMENTATION indexing<BR /> Attr:SEGMENTATION-all full<BR /> Attr:SEGMENTATION-inner inner<BR /> Attr:SEGMENTATION-outer outer<BR /> Attr:SEGMENTATION-raw none<BR /> Attr:SEGMENTATION-standard standard<BR /> Attr:SHOULD_LINEMERGE False<BR /> Attr:TRANSFORMS Attr:TRUNCATE 10000<BR /> Attr:is_valid True<BR /> Attr:maxDist 100<BR /> Attr:sourcetype trade_entries-2</P> <P>Note attributes including sourcetype.</P> Wed, 06 Apr 2011 23:26:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-test-sourcetyping-before-I-index/m-p/75722#M15456 rroberts 2011-04-06T23:26:27Z