Documentation > Splunk > Admin Manual > inputs.conf - Configure data inputs

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

inputs.conf - Configure data inputs

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

inputs.conf - Configure data inputs

These parameters add or reconfigure input sources from which the Splunk Server will access and index data.


Filename

Format 

[<inputtype>:<path>]
attribute1 = val1
attribute2 = val2
...

Any attributes not specified will be set to the values for the [default] entry.


Input Types

This directs splunk to use the tail file input module to watch all files in the <path>, or just <path> if it represents a single file.


Same as tail file, except Splunk uses the batch file input module.


This directs splunk to read from the fifo at the specified path.


This configures splunk to listen on the specified port. If a connection 


   is made from <remote server>, this stanza is used to configure the input.



   If <remote server> is blank, this stanza matches all connections on the



   specified port.


Similar to TCP, except that it listens on a UDP port.


This is the same as TCP, except the remote server is assumed to be a 


   splunk server. For splunktcp, the host or connection_host will be used



   if the remote splunk server does not set a host, or if the host is set



   to host::localhost.


This will run the SQL command "SELECT * FROM " on a regular basis. For each returned row, a new event will be created with the raw text being a comma separated list of column name=column value.

Attributes

This is a shortcut for _MetaData:Host = <string>. It sets the host of 


   events from this input to be the specified string. "host::" is 



   automatically prepended to the value when this shortcut is used.



This is a shortcut for _MetaData:Index = <string>. It sets the index where



   events from this input will be stored.



This is a shortcut for !MetaData:Source = <string>. It sets the source name



   of events from this input to be the specified string. "source::" is



   automatically prepended to the value when this shortcut is used.



This is a shortcut for !MetaData:Sourcetype = <string>. It sets the 



   source type name of events from this input to be the specified string.



   "sourcetype::" is automatically prepended to the value when this



   shortcut is used.  Use Splunk's pre-trained source types whenever possible.



This is a shortcut for Reportinghost = <string>. It sets the 



   reporting host name of events from this input to be the specified string.



   "reportinghost::" is automatically prepended to the value when this



   shortcut is used.


This generically associates <string> with <KEY> for all events from this 


   input.


Additional Attributes

Tail 

   If specified, the tail file input module will use the specified regualar expression



   to extract the host from the filename of each input. Specifically the first



   group of the regex is used as the host. If the regex fails to match, the



   "host =" attribute is used as the host.



   If specified, the tail file input module will use the specified '/' separated



   segment of the path as the host of each input. If the value is not an



   integer, or is less than 1, the "host =" attribute is used as the host.


Batch 

   This specifies the policy to be used to handle the files. The "sinkhole"



   policy will delete the files as they are read, while the other two methods



   will link or copy the files into a separate directory.


Batch input ignores these parameters.


TCP 

   The TCP input processor will rewrite the host with the ip address of the 



   remote server if "ip" is set, the DNS name of the remote server if "dns"



   is set, and will do nothing to the host for any other string.


Splunk-2-Splunk 

   This specifies where the TCP input processor should deposit the events



   that it reads.


ODBC 

   This specifies the DSN in which to find the table. It is required.


Examples

The following are example TCP input configurations. To use one of these configurations, copy the configuration block into inputs.conf in $SPLUNK_HOME/etc/bundles/local/inputs.conf


The example below directs the server to listen on TCP port 9997


for raw data from ANY remote server. The "host" of the data will be


set as the IP address of the remote server. 


[tcp::9997]

The example below directs the server to listen on TCP port 9995


for raw data from ANY remote server. The "host" of the data will be


set as the host name of the remote server. All data will also be


assigned the sourcetype "log4j" and the source "tcp:9995" 


[tcp::9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995

The example below directs the server to listen on TCP port 9995


for raw data from 10.1.1.10. All data will be assigned the


host "webhead-1", the sourcetype "access_common" and the


the source "10.1.1.10/var/log/apache/access.log" 


[tcp:10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = 10.1.1.10/var/log/apache/access.log

The example below directs the server to listen on TCP port 9996


for Splunk-2-Splunk data from ANY remote server. The data will be


delivered directly to the indexer on the local machine without any


further processing. The "host" of the data will be set to the


host name of the remote server ONLY IF the remote data has no host


set, or if it is set to "localhost." 


[splunktcp::9996]
queue = indexQueue
connection_host = dns

The example below directs the server to listen on TCP port 9996


for Splunk-2-Splunk data from only 10.1.1.100. The data will be


processed just as is locally harvested data. 


[splunktcp:10.1.1.100:9996]

The example below directs the server to listen on TCP port 514


for data from syslog.corp.company.net. The data will be assigned the


sourcetype "syslog" and the "host" of the data will be set as the


host name of the remote server. 


[tcp:syslog.corp.company.net:514]
sourcetype = syslog
connection_host = dns
Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2/Admin/InputsconfConfigureDataInputs"

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!