I'm currently preparing for the Splunk Custom Data Load for completion of the Sales Engineer 2 certification. The directions say that I need to use a data set that will not load using the default settings in Splunk (i.e. I will need to edit config files to allow for the data to be ingested).
So my question is: what types of data should I look to use? Every data set I find seems to come in a form that Splunk will automatically ingest.
Many log files and data from third-party products come in a format that are cannot be readily ingested by Splunk (not default sourcetypes) and must be collected using add-ons or through custom configurations.
In fact, if you look at Splunk Add-ons, most of these third-party products' logs cannot be directly ingested by Splunk out of the box and specific sourcetypes and configurations have been defined for them in the add-ons to ingest and normalize the data and some additional configurations are needed.