Use Data Inputs page
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Use Data Inputs page
This topic discusses how to use Splunk Web's Admin > Data Inputs page to add new inputs and edit existing inputs. These inputs include files, directories, FIFO queues, and network ports.
For more information about the different inputs you can add to Splunk, read About inputs.
Access Data Inputs page
In Splunk Web, you can add and manage all your data inputs from the Admin page:
1. On the upper righthand corner of any of the dashboards, click Admin.
2. From the lefthand navigation list, click Data Inputs.
This takes you to the Admin > Data Inputs: All page which tells you how many inputs you have in each category: Files & Directories, FIFO Queue, Network Ports, and Crawls.
You can add new inputs directly from this page by clicking Add input in the "Actions" column. If you want to view and edit the actual inputs, click on the input category.
Crawl for data to index
Use the Data Inputs: Crawls page to run:
- New crawls that search for input sources to add.
- Saved crawls that update existing inputs.
Refer to Use crawl for more information on this search feature.
Add files and directories
Use the Data Inputs: Files & Directories page to view and edit properties for monitored directories and uploaded files. Configure new inputs by clicking New Inputs. Change existing inputs by clicking on the input's path in the File or Directory column.
To add a new input:
1. Click New Input.
2. Under Data access, choose one of the following options:
- Monitor a directory: to index a directory and continuously update when changes are made to that directory.
- Upload a local file: to upload a file from your machine and index it.
- Index a file on the Splunk server: to copy a file from the server directly into the your index.
3. Specify a pathname to the file or directory. If you choose to Upload a local file, you can browse for the source.
4. Under Host, select the host type under Set host and supply the required host value. Your host options depend on the data access method you selected in Step 2.
If you chose Monitor a directory, the Set host options include:
- Constant value: requires a fully qualified domain name or IP address.
- Regex on path: requires a regular expression for the host path.
- Sement in path: requires a segment number.
If you chose Upload a local file or Index a file on the Splunk server, you can only set Set host to Constant value. This requires a fully qualified domain name or IP address.
Note: Refer to the Admin manual for more information about assigning host values to an input.
5. Under Source Type, set the source type to:
- Automatic: to let Splunk define the
sourcetypevalue. - From list: to select from a drop-down list of existing
sourcetypevalues. - Manual: to supply a custom
sourcetypevalue in the field provided.
6. Click Submit to save your new input.
Note: Refer to the Admin manual for more information about setting the source type for an input.
Add FIFO queues
Caution: FIFOs are not recommended for application servers forwarding data to Splunk in a distributed setting. Due to their vulnerability, Splunk does not recommend that you use FIFOs. Monitor is a more reliable, stable method. Support FIFO inputs is deprecated and will be removed in a future release of Splunk.
Use the Data Inputs: FIFO Queues page to view and edit properties of each FIFO processed by Splunk. Configure new inputs by clicking New Inputs. Change existing inputs by clicking on the input's path in the list.
To add a new input:
1. Click New Input.
2. Under Source, type in the path to the FIFO.
3. Under Host, select the host type under Set host and supply the required host value.
Note: You only have one host type option, Constant value, which requires a Fully qualified domain name or IP address.
4. Under Source Type, set the source type to:
- From list: to select from a drop-down list of existing sourcetype values.
- Manual: to supply a custom sourcetype value in the field provided.
Note: If you chose From list, the default Source type is access_combined.
5. Click Submit to save your new input.
Add network ports
Use the Data Inputs: Network Ports page to view and edit properties for UDP or TCP ports watched by Splunk. Configure new inputs by clicking New Inputs. Change existing inputs by clicking on the input's path in the list.
To add a new input:
1. Click New Input.
2. Under Source, select a Protocol and supply a Port number:
- If you select UDP, the Port defaults to 514.
- If you select TCP, the Port defaults to 9998.
Note: The default protocol is TCP.
3. Specify whether or not you want this port to accept connections from all host (Yes) or restrict to one host (No).
If you chose No, supply the IP address of the Host in the field provided.
4. Under Source Type, set the source type to:
- From list: to select from a drop-down list of existing sourcetype values.
- Manual: to supply a custom sourcetype value in the field provided.
Note: If you chose From list, the default Source type is syslog.
5. Click Submit to save your new input.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.