Database Reference
In-Depth Information
Specifying a sourcetype
Identifying a sourcetype for data is important because it tells Splunk how to format the
data. The sourcetype is one of the default fields assigned to each event that is processed.
Splunk uses it to decide how it is going to process your data. The correct sourcetype is usu-
ally assigned automatically when indexing data, for Splunk comes with many predefined
sourcetypes.
One such sourcetype is
access_combined
. Using this, Splunk can analyze combined
access log files, the types that are part of the massive amount of data exhaust created by
web servers such as Microsoft IIS or Apache. Some common sourcetypes include the fol-
lowing:
Sourcetype
Used for
access_combined
A standardized format for text files used by HTTP web servers when generating server log files
cisco_syslog
Cisco standard system logs
Errors
apache_error
Sometimes the
access_combined
sourcetype specifies
_wcookie
, which indicates
that each cookie set during an HTTP request is logged. The data we brought in and indexed
cify this particular sourcetype, type the following into the search bar:
sourcetype=access_combined_wcookie
This will pull up the web server logs with this sourcetype so you can then use them for ana-
lysis.
When adding custom data formats, such as logs from applications built in-house, you can
specify a descriptive sourcetype for the technology as the sourcetype is what is being used
to differentiate the data type. For Cisco iOS devices, you can use
sourcetype=cisco:ios
.
