Documentation > Splunk > Admin Manual > streams.conf

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

streams.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

streams.conf

streams.conf.spec 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0
#
# This file controls filters for live tail, (real-time view of data as it's indexed).
# Apply search filters so just the data you are interested shows up in the live tail interface.
#
# There is a streams.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place a streams.conf in $SPLUNK_HOME/etc/system/local/.  For examples, see streams.conf.example.
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[stream:<stream name>]
        * You may have as many of these stanzas as you wish.  
        * CAUTION: DO NOT USE THE NAME "livetail" as it is reserved by the system.
        
filter = <search string>
        * Filter your live tail data on a search string.
        * This filter is applied to the stream above.
        * Currently, these searches CANNOT include piping.
        * You can use the following fields (and ONLY the following fields) in your filter:
    source, sourcetype, host.


streams.conf.example 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains an example streams.conf.  Use this file to configure filters for live tail.
#
# To use one or more of these configurations, copy the configuration block into
# streams.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
# This example sets up a Live Splunk named apache errors, that is filtered with the search "error
# sourcetype=apache."  Customize the name and search string as you see fit.
[stream:apacheerrors]
filter = error sourcetype=apache
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.3/Admin/Streamsconf"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!