Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my sourcetype auto classified as too_small?

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:24 PM

When I load certain sets of data and don't specify a sourcetype, why is it always labeled as "sourcetype=too_small"?

Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:25 PM

Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".

View solution in original post

Reply
Solved! Jump to solution

risgupta_splunk
Splunk Employee
Splunk Employee
‎08-31-2016 10:10 PM

You can use settings in your props.conf as :

[too_small]
PREFIX_SOURCETYPE = false

This is will not grow the sourcetypes for your data.

0 Karma
Reply
Solved! Jump to solution

Joffer
Path Finder
‎08-23-2010 09:21 AM

Will the sourcetype change when the index has more than 100 events?

If you start indexing with followTail = 1 in the config(s), there will never be 100 events the first time...

0 Karma
Reply
Solved! Jump to solution

matthewcanty
Communicator
‎01-10-2013 04:41 AM

Can we force it to go away? What is the purpose of saying "too small"?

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-08-2010 10:22 PM

Depends how fast your logs are growing!

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-14-2010 05:25 PM

Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".

Reply
Solved! Jump to solution

abhattacharya6
New Member
‎04-12-2016 04:33 PM

I am analyzing events in the range of 500-600k but still all the sourcetypes are ending with too_small. Any reason?

0 Karma
Reply
Solved! Jump to solution

risgupta_splunk
Splunk Employee
Splunk Employee
‎08-31-2016 10:11 PM

use

[too_small]
PREFIX_SOURCETYPE = false

and check.

0 Karma
Reply
Solved! Jump to solution

swdowiarz
Path Finder
‎12-14-2017 05:15 AM

Could you please explain where should I use it ?

0 Karma
Reply
Solved! Jump to solution

rphillips_splk
Splunk Employee
Splunk Employee
‎03-06-2023 05:41 PM

apply to data input instance where data is first read by Splunk

props.conf

[too_small]
PREFIX_SOURCETYPE = false


PREFIX_SOURCETYPE = <boolean>
* NOTE: this setting is only relevant to the "[too_small]" sourcetype.
* Determines the source types that are given to files smaller than 100
  lines, and are therefore not classifiable.
* PREFIX_SOURCETYPE = false sets the source type to "too_small."
* PREFIX_SOURCETYPE = true sets the source type to "<sourcename>-too_small",
  where "<sourcename>" is a cleaned up version of the filename.
  * The advantage of PREFIX_SOURCETYPE = true is that not all small files
    are classified as the same source type, and wildcard searching is often
    effective.
  * For example, a Splunk search of "sourcetype=access*" retrieves
    "access" files as well as "access-too_small" files.
* This setting applies at input time, when data is first read by Splunk
  software, such as on a forwarder that has configured inputs acquiring the
  data.
* Default: true

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...