When I load certain sets of data and don't specify a sourcetype, why is it always labeled as "sourcetype=too_small"?
Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".
You can use settings in your props.conf as :
[too_small]
PREFIX_SOURCETYPE = false
This is will not grow the sourcetypes for your data.
Will the sourcetype change when the index has more than 100 events?
If you start indexing with followTail = 1
in the config(s), there will never be 100 events the first time...
Can we force it to go away? What is the purpose of saying "too small"?
Depends how fast your logs are growing!
Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".
I am analyzing events in the range of 500-600k but still all the sourcetypes are ending with too_small. Any reason?
use
[too_small]
PREFIX_SOURCETYPE = false
and check.
Could you please explain where should I use it ?
apply to data input instance where data is first read by Splunk
props.conf
[too_small]
PREFIX_SOURCETYPE = false
PREFIX_SOURCETYPE = <boolean>
* NOTE: this setting is only relevant to the "[too_small]" sourcetype.
* Determines the source types that are given to files smaller than 100
lines, and are therefore not classifiable.
* PREFIX_SOURCETYPE = false sets the source type to "too_small."
* PREFIX_SOURCETYPE = true sets the source type to "<sourcename>-too_small",
where "<sourcename>" is a cleaned up version of the filename.
* The advantage of PREFIX_SOURCETYPE = true is that not all small files
are classified as the same source type, and wildcard searching is often
effective.
* For example, a Splunk search of "sourcetype=access*" retrieves
"access" files as well as "access-too_small" files.
* This setting applies at input time, when data is first read by Splunk
software, such as on a forwarder that has configured inputs acquiring the
data.
* Default: true