Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my sourcetype auto classified as too_small?

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:24 PM

When I load certain sets of data and don't specify a sourcetype, why is it always labeled as "sourcetype=too_small"?

Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:25 PM

Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".

View solution in original post

Reply
Solved! Jump to solution

risgupta_splunk
Splunk Employee
Splunk Employee
‎08-31-2016 10:10 PM

You can use settings in your props.conf as :

[too_small]
PREFIX_SOURCETYPE = false

This is will not grow the sourcetypes for your data.

Reply
Solved! Jump to solution

Joffer
Path Finder
‎08-23-2010 09:21 AM

Will the sourcetype change when the index has more than 100 events?

If you start indexing with followTail = 1 in the config(s), there will never be 100 events the first time...

0 Karma
Reply
Solved! Jump to solution

matthewcanty
Communicator
‎01-10-2013 04:41 AM

Can we force it to go away? What is the purpose of saying "too small"?

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-08-2010 10:22 PM

Depends how fast your logs are growing!

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:25 PM

Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".

Reply
Solved! Jump to solution

abhattacharya6
New Member
‎04-12-2016 04:33 PM

I am analyzing events in the range of 500-600k but still all the sourcetypes are ending with too_small. Any reason?

0 Karma
Reply
Solved! Jump to solution

risgupta_splunk
Splunk Employee
Splunk Employee
‎08-31-2016 10:11 PM

use

[too_small]
PREFIX_SOURCETYPE = false

and check.

0 Karma
Reply
Solved! Jump to solution

swdowiarz
Path Finder
‎12-14-2017 05:15 AM

Could you please explain where should I use it ?

0 Karma
Reply
Solved! Jump to solution

rphillips_splk
Splunk Employee
Splunk Employee
‎03-06-2023 05:41 PM

apply to data input instance where data is first read by Splunk

props.conf

[too_small]
PREFIX_SOURCETYPE = false


PREFIX_SOURCETYPE = <boolean>
* NOTE: this setting is only relevant to the "[too_small]" sourcetype.
* Determines the source types that are given to files smaller than 100
  lines, and are therefore not classifiable.
* PREFIX_SOURCETYPE = false sets the source type to "too_small."
* PREFIX_SOURCETYPE = true sets the source type to "<sourcename>-too_small",
  where "<sourcename>" is a cleaned up version of the filename.
  * The advantage of PREFIX_SOURCETYPE = true is that not all small files
    are classified as the same source type, and wildcard searching is often
    effective.
  * For example, a Splunk search of "sourcetype=access*" retrieves
    "access" files as well as "access-too_small" files.
* This setting applies at input time, when data is first read by Splunk
  software, such as on a forwarder that has configured inputs acquiring the
  data.
* Default: true

 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...