I've noticed that the vast majority of sourcetypes that I have indexed are not appearing in the "Select a sourcetype" drop-down menu when trying to add data from Splunk in the "Add Sample Data" step. How is the TA looking for sourcetypes to populate the drop-down menu with?
Sourcetypes are tied to data collection.
1- If it is mod input (built in Addon builder) it automatically shows on the list
2- If it is data indexed by Splunk core such HEC or syslog, you will need to import it by clicking on "import from splunk" button under "add sample data tab". Once you have imported it, it becomes visible to you in Addon builder so that you can apply knowledge ( field extraction and cim mapping) as part of the add-on
3- if you want to add file monitoring in addon, click on "upload from file", it becomes visible to you in Addon builder so that you can apply knowledge ( field extraction and cim mapping) as part of the add-on
This has become a common question we get, we will improve the UX to make it more clear in furture but hope this answers your question.
Okay, so the problem is, I'm doing Step 2 and the sourcetype is not visible in the addon builder, so I'm not able to select it and move onto the Extract Fields step. I've tested this on both Linux+Windows installs of Splunk v6.5.2 with the same problem. Is this a bug then?
could be a bug. One thing i forgot to mention, make sure you have data in that sourcetype. If teh sourcetype has no data in the last week or month (forgot which one) then it wont be visible. Can you confirm the same?
There are events in the past 24 hours with a matching sourcetype. The sourcetype does not appear in the "Select a sourcetype" drop-down menu on the Add Sample Data page after clicking the "Add From Splunk" button. I am using v2.0.0 of the addon.
ok sounds like a bug to me. We are releasing 2.1.0 very soon. I would try that version first and if problem persists, please file a bug. I will send you an email offline with early access.