Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my sourcetype auto classified as too_small?

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:24 PM

When I load certain sets of data and don't specify a sourcetype, why is it always labeled as "sourcetype=too_small"?

Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:25 PM

Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".

View solution in original post

Reply
Solved! Jump to solution

risgupta_splunk
Splunk Employee
Splunk Employee
‎08-31-2016 10:10 PM

You can use settings in your props.conf as :

[too_small]
PREFIX_SOURCETYPE = false

This is will not grow the sourcetypes for your data.

0 Karma
Reply
Solved! Jump to solution

Joffer
Path Finder
‎08-23-2010 09:21 AM

Will the sourcetype change when the index has more than 100 events?

If you start indexing with followTail = 1 in the config(s), there will never be 100 events the first time...

0 Karma
Reply
Solved! Jump to solution

matthewcanty
Communicator
‎01-10-2013 04:41 AM

Can we force it to go away? What is the purpose of saying "too small"?

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-08-2010 10:22 PM

Depends how fast your logs are growing!

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:25 PM

Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".

Reply
Solved! Jump to solution

abhattacharya6
New Member
‎04-12-2016 04:33 PM

I am analyzing events in the range of 500-600k but still all the sourcetypes are ending with too_small. Any reason?

0 Karma
Reply
Solved! Jump to solution

risgupta_splunk
Splunk Employee
Splunk Employee
‎08-31-2016 10:11 PM

use

[too_small]
PREFIX_SOURCETYPE = false

and check.

0 Karma
Reply
Solved! Jump to solution

swdowiarz
Path Finder
‎12-14-2017 05:15 AM

Could you please explain where should I use it ?

0 Karma
Reply
Solved! Jump to solution

rphillips_splk
Splunk Employee
Splunk Employee
‎03-06-2023 05:41 PM

apply to data input instance where data is first read by Splunk

props.conf

[too_small]
PREFIX_SOURCETYPE = false


PREFIX_SOURCETYPE = <boolean>
* NOTE: this setting is only relevant to the "[too_small]" sourcetype.
* Determines the source types that are given to files smaller than 100
  lines, and are therefore not classifiable.
* PREFIX_SOURCETYPE = false sets the source type to "too_small."
* PREFIX_SOURCETYPE = true sets the source type to "<sourcename>-too_small",
  where "<sourcename>" is a cleaned up version of the filename.
  * The advantage of PREFIX_SOURCETYPE = true is that not all small files
    are classified as the same source type, and wildcard searching is often
    effective.
  * For example, a Splunk search of "sourcetype=access*" retrieves
    "access" files as well as "access-too_small" files.
* This setting applies at input time, when data is first read by Splunk
  software, such as on a forwarder that has configured inputs acquiring the
  data.
* Default: true

 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...