Getting Data In
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

Splunk Employee
Splunk Employee

Oh, heya Burch. I was referring to this post by "FrankVl". >> It's just a label used to categorize data that has similar structure and content.

0 Karma
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

Ultra Champion

Ah. Ok, cool.

0 Karma
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

SplunkTrust
SplunkTrust

I liken it to a map. It defines the steps needed to figure out what kind of creature is behind the fourth comma. That number behind the seventh colon, that's obviously packed size. This approach has a bonus in that let it lets me sing the map song from Dora.

Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

Ultra Champion

Ha ha. That sounds a solid way to explain what the sourcetype does. I imagine it might still get questions around why sourcetypes are used rather than just the sources. Which then opens up landing the concept perfectly.

0 Karma
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

SplunkTrust
SplunkTrust

Your explanation sounds very much like the description of objects in object oriented programming. The sourcetype allows you to group data in similar object types. This makes it easier to write configurations such as field extractions, tagging, etc on each sourcetype. Also, when you add new data, if it already fits one of the molds that you already have, you don't need to rewrite the configs all over again.

0 Karma
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

Ultra Champion

Great point and I think this is a great nuance of how to cater an explanation towards the right audience. While a very tech-agnostic suggestion might work for business users, an object oriented one will resonate with techies! Kuddos!

0 Karma
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

Contributor

I think of indexes like bookshelves and sources like content. In that analogy, sourcetypes are like types of media. You could read an article in a newspaper or magazine, but that article could also be excepted in a book. A lot of classic books were once serialized in magazines. You can even listen to a book or magazine article on a service like audible.

Different audio media like cassettes and CDs can also contain the same content (source), and the medium determines how you interact with that content. If the media content is on a CD, you can easily skip back and forth on tracks, but not on a cassette.

All of these media (sourcetypes) determine how you get your content (source). You have to use different methods and have certain capabilities to handle each type of medium. Print books are no good to those without sight, and audio is useless to those without hearing. So it's important to choose the right medium (sourcetype) in order to get the content in a way that's useful.

Maybe in this analogy it's the human that's the indexer? I guess that's where it breaks down.

0 Karma
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

Ultra Champion

Ha ha. I love the humility that you end it on.

It's an interesting concept. I honestly have had to read it a few times to follow. I'm curious if it's too involved OR am I just getting to close to end of day on a Friday.

Anyway, thanks for the contribution and the concept!

0 Karma
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

Splunk Employee
Splunk Employee

As the child of a librarian, this analogy makes great sense to me! The librarian, who fills out the catalog entry for a given item, is the indexer. This analogy also accounts for cross-references. The patron is the search head.

0 Karma
Highlighted

Re: What is the best analogy for explaining 'sourcetypes'?

Explorer

i like to keep things simple so everyone understands what im intending to explain

Consider splunk as a database

Index = database name
sourcetype = tables
_time = when these events where recorded in splunk
host, source , sourcetype, _time are the key identifiers to create various views on the database.

0 Karma