Database Reference
In-Depth Information
Sourcetypes
Sourcetypes are also important to understand, as they help define the rules for an event. A
sourcetype is one of the default fields that Splunk assigns to data as it comes into the sys-
tem. It determines what type of data it is so that Splunk can format it appropriately as it in-
dexes it. This also allows the user who wants to search the data to easily categorize it.
Some of the common sourcetypes are listed as follows:
•
access_combined
, for NCSA combined format HTTP web server logs
•
apache_error
, for standard Apache web server error logs
•
cisco_syslog
, for the standard syslog produced by Cisco network devices (in-
cluding PIX firewalls, routers, and ACS), usually via remote syslog to a central log
host
•
websphere_core
, a core file export from WebSphere