Documentation > Splunk > Admin Manual > inputs.conf

Admin Manual

 


How Splunk Works
Getting Started
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Data Distribution
Granular Access Control
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

inputs.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

inputs.conf

Inputs.conf configures all inputs to Splunk including file and directory tailing and watching, network ports and scripted inputs.


To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/inputs.conf.


You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/inputs.conf.example.


Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.


inputs.conf.spec 

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible options for a "inputs.conf" file.
#
# Most of Splunk's data input in configured through the files
# $Splunk_HOME/etc/bundles/<bundle name>/inputs.conf
#
# A configuration looks like:
[<inputtype>://<path>]
attribute1 = val1
attribute2 = val2
...
# The precedence rules are the same as in props.conf.spec.
# A configuration without a set of attribute/value pairs will use the
# [default] attribute/value pairs.
The possible attributes/value pairs are:
host = <string>
  * This is a shortcut for MetaData:Host = <string>. It sets the host of
    events from this input to be the specified string. "host::" is 
    automatically prepended to the value when this shortcut is used.
index = <string>
  * This is a shortcut for _MetaData:Index = <string>. It sets the index where
    events from this input will be stored.
source = <string>
  * This is a shortcut for MetaData:Source = <string>. It sets the source name
    of events from this input to be the specified string. "source::" is
    automatically prepended to the value when this shortcut is used.
sourcetype = <string>
  * This is a shortcut for MetaData:Sourcetype = <string>. It sets the 
    source type name of events from this input to be the specified string.
    "sourcetype::" is automatically prepended to the value when this
    shortcut is used.
reportinghost = <string>
  * This is a shortcut for Reportinghost = <string>. It sets the 
    reporting host name of events from this input to be the specified string.
    "reportinghost::" is automatically prepended to the value when this
    shortcut is used.
<KEY> = <string>
  * This generically associates <string> with <KEY> for all events from this
    input.
Valid <inputtypes> are:
TCP: 
  * [tcp://<remote server>:<port>]
    This configures Splunk to listen on the specified port. If a connection
    is made from <remote server>, this stanza is used to configure the input.
    If <remote server> is blank, this stanza matches all connections on the
    specified port.
  * Additional attributes:
   
    connection_host = {ip,dns,<string>} (ip)
    The TCP input processor will rewrite the host with the ip address of the 
    remote server if "ip" is set, the DNS name of the remote server if "dns"
    is set, and will do nothing to the host for any other string.
  * Example:
    [tcp://9997]
    sourcetype = mycustomsource
    This will listen for data on TCP port 9997 and have the data indexed by
    sourcetype::mycustomsource.
Splunk-2-Splunk:
  * [Splunktcp://<remote server>:<port>]
    This is the same as TCP, except the remote server is assumed to be a
    Splunk server. For Splunktcp, the host or connection_host will be used
    if the remote Splunk server does not set a host, or if the host is set
    to host::localhost. Note that attributes like index should be set on
    the sending host.
  * Additional attributes:
    queue = <string> (parsingPipeline)
    This specifies where the TCP input processor should deposit the events
    that it reads.
  * Example:
    [Splunktcp://192.168.0.100:9998]
SSL TCP & Splunk-2-Splunk
  * [SSL]
    serverCert=<full path to the server certificate>
    password=<server certificate password, if any>
    rootCA=<certificate authority list (root file)>
    dhfile=<optional path to the dhfile.pem>
    requireClientCert=<true|false> - if we require a client to authenticate with us
  * [Splunktcp-ssl://8888] - this will set up SSL input on port 8888 using
    the above certificate info
UDP:
  * [udp://:<port>]
    Similar to TCP, except that it listens on a UDP port.
  * Additional attributes:
    _rcvbuf = <int>
    The UDP port will have its receive buffer changed to the value
    specified.  If the value is 0 or negative, it will be ignored.  The
    default value for Splunk is 1MB (the default in the OS varies).
FIFO:
  * [fifo://<path>]
    This directs Splunk to read from the fifo at the specified path.
Tailing:
  * [tail://<path>]
    This directs Splunk to watch all files in the <path>, or just <path> if
    it represents a single file.
  * Additional attributes:
    host_regex = <regular expression>
    If specified, the batch monitor will use the specified regular expression
    to extract the host from the filename of each input. Specifically the first
    group of the regex is used as the host. If the regex fails to match, the
    "host =" attribute is used as the host.
    host_segment = <integer>
    If specified, the batch monitor will use the specified '/' separated
    segment of the path as the host of each input. If the value is not an
    integer, or is less than 1, the "host =" attribute is used as the host.
    _whitelist = <regular expression>
    If specified, files from this path will be tailed only if they match
    the specified regular expression.
    _blacklist = <regular expression>
    If specified, files from this path will not be tailed if they match
    the specified regular expression.
    crcSalt = <string>
    If specified this string will be added to crc. This can be used to stop
    splunk from having problems with files that start with headers, for example
    exchange logs suffer from this problem. If the string <SOURCE> is specified 
    then the full source path will be added to crc.
Batch:
  * [batch://<path>]
    Same as tailing, except Splunk uses the batch file loader.
  * Additional attributes:
    
    move_policy = {passive_symlink, passive_copy, sinkhole} (passive_symlink)
    This specifies the policy to be used to handle the files. The "sinkhole"
    policy will delete the files as they are read, while the other two methods
    will link or copy the files into a separate directory. The 
    host_regex (see Tailing)
    host_segment (see Tailing)
    The following are not used by the batch loader:
    source = <string>
    <KEY>  = <string>
Scripted Input:
  * [script://<cmd>]
    Will run the command "cmd" at a configured interval and index the output.  The
    command must reside in the <Splunk_home>/etc/bundles/$YOUR_BUNDLE/bin directory.    
    interval = <integer>
    How often to execute the specified command (in seconds); if interval is not 
    specified it will default to 60 seconds.
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.0.1/Admin/Inputsconf"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!