Documentation > Splunk > FAQ > Accessing Data

FAQ

 


General Information
Company Background
How Splunk Works
Purchasing Splunk
Splunk Base and the Splunk Community
Customers and Partners
Getting Started
Accessing Data
How Splunk Handles Data
Administration
Integrating and Extending Splunk
Troubleshooting
Getting Help

Accessing Data

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Accessing Data

How can I customize the way Splunk handles my data?

See the Admin Manual for information on configuring Splunk to handle a variety of data types.


How can I tell if all my data has been indexed?

The total number of events in your index is listed on your Splunk Web homepage. For more information, click the Admin link in the upper right corner of the homepage. The Admin page includes an Input Status tab that lists each method of data input, including which methods are still processing files.


Splunk for index::splunklogger to see the history of everything your server has done since startup.


I have more than 10,000 events indexed. Why don't they all show up when I run a "meta::all" search?

A Splunk search defaults to the most recent 10,000 events, almost always sorted by time. To see more than 10,000 events, change the setting in the Preferences menu in Splunk Web.


How do I configure Splunk to index archived (non-growing) files?

In Splunk Web, choose Admin > Data Inputs > Files and Directories and add a directory. Choose "Watch and copy" or "Watch and symlink" in the dropdown under source.


How do I configure Splunk to index live (constantly-growing) files?

In Splunk Web, choose admin > Data Inputs > Files and Directories and add a file or directory. Choose "Tail" in the dropdown under source.


Can I set up a live input of data from different hosts to my central Splunk server?

Yes, for both the free and enterprise license (although an enterprise license makes it a lot easier).


If you have a free license, either mount your remote log files, or use remote syslog to send data from your production hosts to a syslog file on the Splunk server. Then, load this data into your Splunk Server. If you have an enterprise license, you can install Splunk on your production hosts to access local data and forward from those Splunk servers to your central Splunk server in real time over TCP. All your options for deploying Splunk across a network are described in our Deployment section.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.3.4/Faq/AccessingData"

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!