Add Input Configurations
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Add Input Configurations
These parameters add or reconfigure input sources from which the Splunk server will access and index data.
Filename
-
inputs.conf(within any subdirectory of$SPLUNK_HOME/etc/bundles/)
Format
[:] attribute1 = val1 attribute2 = val2 ...
Any attributes not specified are set to the values for the [default] entry.
Input Types
Tail File
This directs Splunk to use the tail file input module to watch all files in the directory.
Batch File
Same as tail file, except Splunk uses the batch file input module.
FIFO
This directs splunk to read from the fifo at the specified path.
TCP
This configures Splunk to listen on the specified port. If a connection is made from , this stanza is used to configure the input. If is blank, this stanza matches all connections on the specified port.
UDP
Similar to TCP, except that it listens on a UDP port.
Distributed
This is the same as TCP, except the remote server is assumed to be a Splunk server. For splunktcp, the host or connection_host will be used if the remote Splunk server does not set a host, or if the host is set to host::localhost.
Attributes
Every input type has these possible options:
- host =
This is a shortcut for MetaData:Host =. It sets the host of events from this input to be the specified string. "host::" is automatically prepended to the value when this shortcut is used.
- index =
This is a shortcut for _MetaData:Index = . It sets the index where events from this input will be stored.
- source =
This is a shortcut for MetaData:Source = . It sets the source name of events from this input to be the specified string. "source::" is automatically prepended to the value when this shortcut is used.
- sourcetype =
This is a shortcut for MetaData:Sourcetype = . It sets the source type name of events from this input to be the specified string. "sourcetype::" is automatically prepended to the value when this shortcut is used.
- reportinghost =
This is a shortcut for Reportinghost = . It sets the reporting host name of events from this input to be the specified string. "reportinghost::" is automatically prepended to the value when this shortcut is used.
- =
This generically associates with for all events from this input.
Additional Attributes
Each input type has additional attributes specific to the type:
Tail
- host_regex =
If specified, the tail file input module will use the specified regualar expression to extract the host from the filename of each input. Specifically the first group of the regex is used as the host. If the regex fails to match, the "host =" attribute is used as the host.
- host_segment =
If specified, the tail file input module will use the specified '/' separated segment of the path as the host of each input. If the value is not an integer, or is less than 1, the "host =" attribute is used as the host.
- _whitelist =
If specified, files from this path will be tailed only if they match the specified regular expression.
- _blacklist =
If specified, files from this path will not be tailed if they match the specified regular expression. If a file is inadvertently specified for both _whitelist and _blacklist, _blacklist prevails and the file will not be tailed.
Batch
- move_policy = {passive_symlink, passive_copy, sinkhole} (passive_symlink)
This specifies the policy to be used to handle the files. The "sinkhole" policy will delete the files as they are read, while the other two methods will link or copy the files into a separate directory.
- host_regex (see Tail)
- host_segment (see Tail)
Batch input ignores these parameters:
- source
UDP
- connection_host = {ip,dns,} (ip)
The UDP input processor will rewrite the host with the ip address of the remote server if "ip" is set, the DNS name of the remote server if "dns" is set, and will do nothing to the host for any other string.
Distributed
- queue = (parsingQueue)
This specifies where the TCP input processor should deposit the events that it reads.
Examples
The following are example UDP input configurations. To use one of these configurations, copy the configuration block into inputs.conf in $SPLUNK_HOME/etc/bundles/local/inputs.conf
This configuration directs the server to listen on UDP port 514 for raw data from ANY remote server. The "host" of the data will be set as the IP address of the remote server.
[udp::514]
This configuration directs the server to listen on UDP port 9995 for raw data from ANY remote server. The "host" of the data will be set as the host name of the remote server. All data will also be assigned the sourcetype "log4j" and the source "UDP:9995"
[udp::9995]
connection_host = dns
sourcetype = log4j
source = udp:9995
This configuration directs the server to listen on UDP port 9994 for raw data from 10.1.1.10. All data will be assigned the
host "webhead-1", the sourcetype "access_common" and the the source "10.1.1.10/var/log/apache/access.log"
[udp:10.1.1.10:9994]
host = webhead-1
sourcetype = access_common
source = 10.1.1.10/var/log/apache/access.log
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.