https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32224#M5722 <P>I do also recommend reading <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Whysourcetypesmatter">http://docs.splunk.com/Documentation/Splunk/latest/Data/Whysourcetypesmatter</A> and the topics that follow it.</P> Mon, 13 Aug 2012 21:03:14 GMT ChrisG 2012-08-13T21:03:14Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32220#M5718 <P>Hi,</P> <P>I'm looking for some help on sourcetype naming. I have a bunch of logfiles - some apache error logs, some apache access logs, some custom application error logs. I want to give my customers an easy way to search on these logs (there will be dozens of them). Should I use a pretrained source type? Wouldn't that make it more difficult to search on the logs? If I use a custom sourcetype (say "appname"), will Splunk recognize the logfile formats? </P> Fri, 10 Aug 2012 15:11:29 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32220#M5718 a212830 2012-08-10T15:11:29Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32221#M5719 <P>The concept of sourcetype was introduced so that a metadata field associated with an event would describe the <STRONG>nature</STRONG> of the data, which typically tells us something about the structure of the data rather than its precise origin. "Where is this data coming from?" is a question best answered with the 'host' and 'source' metadata fields. The sourcetype is rather there to answer "What kind of data is this?".</P> <P>For that reason, I would not recommend to assign the same sourcetype to access logs and application logs, for example. You are probably better off using a pre-trained sourcetype whenever one is available, such as 'access_common' or 'access_combined' for HTTPD access logs. This will bring the benefit of pre-packaged field extractions, among other things.</P> <P>Note that most pre-trained sourcetypes are defined in <CODE>$SPLUNK_HOME/etc/system/default/props.conf</CODE>.</P> Mon, 28 Sep 2020 12:14:56 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32221#M5719 hexx 2020-09-28T12:14:56Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32222#M5720 <P>Thanks, this helps me understand the usage better. Still, if I have dozens of logfiles, across multiple hosts, and I want to search them, how would I easily do that? I don't want to type in each host or logfile - that's a lot of work. Is there an alias, or something like that?</P> Mon, 13 Aug 2012 18:00:10 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32222#M5720 a212830 2012-08-13T18:00:10Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32223#M5721 <P>There are many ways to do this, and it really depends on what qualifies the event set that you want your search to return. You can use:<BR /><BR /> - <A href="http://docs.splunk.com/Documentation/Splunk/latest/User/StartSearching">Wildcards in your search terms</A><BR /> - <A href="http://docs.splunk.com/Documentation/Splunk/latest/User/ClassifyAndGroupSimilarEvents">Eventtypes</A><BR /> - <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouttagsandaliases">Tags</A></P> Mon, 13 Aug 2012 20:12:57 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32223#M5721 hexx 2012-08-13T20:12:57Z https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32224#M5722 <P>I do also recommend reading <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Whysourcetypesmatter">http://docs.splunk.com/Documentation/Splunk/latest/Data/Whysourcetypesmatter</A> and the topics that follow it.</P> Mon, 13 Aug 2012 21:03:14 GMT https://community.splunk.com/t5/Getting-Data-In/sourcetype-best-practices/m-p/32224#M5722 ChrisG 2012-08-13T21:03:14Z