https://community.splunk.com/t5/Getting-Data-In/Source-vs-Sourcetype-What-s-the-difference/m-p/347341#M63777 <P>1) Which are the sources of the event?Simulate me some real situations.<BR /> event source can be anything. a system log file, an app log files, lookup files, etc..</P> <P>2) Which are the sources type of the event? The same question. --- the type of the sources will be the sourcetype. </P> <P>for example, you can add data from /var/log/messages to splunk. <BR /> for this data, </P> <PRE><CODE>source=/var/log/messages and sourcetype=linux_syslog </CODE></PRE> <P>Source vs sourcetype - <BR /> Source and source type are both default fields, but they are entirely different otherwise, and can be easily confused.</P> <P>The source is the name of the file, stream, or other input from which a particular event originates.<BR /> The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.<BR /> Events with the same source type can come from different sources, for example, if you monitor <CODE>source=/var/log/messages</CODE> and receive direct syslog input from udp:514. If you search <CODE>sourcetype=linux_syslog</CODE>, events from both of those sources are returned.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Aboutdefaultfields">http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Aboutdefaultfields</A></P> Wed, 01 Nov 2017 06:33:34 GMT inventsekar 2017-11-01T06:33:34Z https://community.splunk.com/t5/Getting-Data-In/Source-vs-Sourcetype-What-s-the-difference/m-p/347340#M63776 <P>Source - The source of an event is the name of the file, stream, or other input from which the event originates<BR /> 1) Which are the sources of the event?Simulate me some real situations.</P> <P>Sourcetype - The source type of an event is the format of the data input from which it originates like for windows .evt files from event viewer<BR /> 1) Which are the sources type of the event? The same question.</P> <P>I can not understand what applies to source and to sourcetype.<BR /> I would be glad if somebody gives examples. Or what should I read to better understand logs? I understand that there are just different logs. Some are responsible for one, the other for the other.</P> Wed, 01 Nov 2017 00:58:45 GMT https://community.splunk.com/t5/Getting-Data-In/Source-vs-Sourcetype-What-s-the-difference/m-p/347340#M63776 test_qweqwe 2017-11-01T00:58:45Z https://community.splunk.com/t5/Getting-Data-In/Source-vs-Sourcetype-What-s-the-difference/m-p/347341#M63777 <P>1) Which are the sources of the event?Simulate me some real situations.<BR /> event source can be anything. a system log file, an app log files, lookup files, etc..</P> <P>2) Which are the sources type of the event? The same question. --- the type of the sources will be the sourcetype. </P> <P>for example, you can add data from /var/log/messages to splunk. <BR /> for this data, </P> <PRE><CODE>source=/var/log/messages and sourcetype=linux_syslog </CODE></PRE> <P>Source vs sourcetype - <BR /> Source and source type are both default fields, but they are entirely different otherwise, and can be easily confused.</P> <P>The source is the name of the file, stream, or other input from which a particular event originates.<BR /> The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.<BR /> Events with the same source type can come from different sources, for example, if you monitor <CODE>source=/var/log/messages</CODE> and receive direct syslog input from udp:514. If you search <CODE>sourcetype=linux_syslog</CODE>, events from both of those sources are returned.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Aboutdefaultfields">http://docs.splunk.com/Documentation/Splunk/7.0.0/Data/Aboutdefaultfields</A></P> Wed, 01 Nov 2017 06:33:34 GMT https://community.splunk.com/t5/Getting-Data-In/Source-vs-Sourcetype-What-s-the-difference/m-p/347341#M63777 inventsekar 2017-11-01T06:33:34Z https://community.splunk.com/t5/Getting-Data-In/Source-vs-Sourcetype-What-s-the-difference/m-p/347342#M63778 <P>The source is the entity of the log</P> <P>Source type is log classification<BR /> Classification is used variously by users.<BR /> · Classification by format<BR /> · Classified by service and system<BR /> · Classified by character code<BR /> · etc</P> Wed, 01 Nov 2017 09:18:24 GMT https://community.splunk.com/t5/Getting-Data-In/Source-vs-Sourcetype-What-s-the-difference/m-p/347342#M63778 HiroshiSatoh 2017-11-01T09:18:24Z