inputs.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
inputs.conf
inputs.conf configures all inputs to Splunk including file and directory tailing and watching, network ports and scripted inputs.
For help configuring inputs, see how input configuration works.
Note: Splunk looks for the inputs it is configured to monitor every 24 hours starting from the time it was last restarted. This means that if you add a stanza to monitor a directory or file that doesn't exist yet, it could take up to 24 hours for Splunk to start indexing its contents. To ensure that your input is immediately recognized and indexed, add the input via Splunk Web or by using the add command in the CLI.
Important: To avoid performance issues, Splunk recommends that you set followTail=1 if you are deploying Splunk to systems containing significant quantities of historical data. Setting followTail=1 for a monitor input means that any new incoming data is indexed when it arrives, but anything already in files on the system when Splunk was first started will not be processed.
inputs.conf.spec
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0
# This file contains possible attributes and values you can use to configure inputs,
# distributed inputs and file system monitoring in inputs.conf.
#
# There is an inputs.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations,
# place an inputs.conf in $SPLUNK_HOME/etc/system/local/. For examples, see inputs.conf.example.
# You must restart Splunk to enable new configurations.
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
#
#*******
# WINDOWS INPUTS:
#*******
* Windows platform specific input processor.
* These inputs are enabled by default. To disable an input type, comment it out in $SPLUNK_HOME\etc\system\local\inputs.conf.
[WinEventLog:Application]
[WinEventLog:Security]
[WinEventLog:System]
#*******
# GENERAL SETTINGS:
# The following attributes/value pairs are valid for ALL input types (except file system change monitor).
# You must first enter a stanza header, specifying the input type.
# Then, use any of the following attribute/value pairs.
#*******
host = <string>
* Set the default host to a static value.
* "host=" is automatically prepended to <string>.
* Defaults to the IP address of fully qualified domain name of the host where the data originated.
index = <string>
* Set the index to store events from this input.
* "index=" is automatically prepended to <string>.
* Defaults to "index=main" (or whatever you have set as your default index).
source = <string>
* Set the source for events from this input.
* "source=" is automatically prepended to <string>.
* Defaults to the file path.
sourcetype = <string>
* Set the sourcetype for events from this input.
* "sourcetype=" is automatically prepended to <string>.
* Splunk automatically picks a source type based on various aspects of your data. There is no hard-coded default.
queue = parsingQueue | indexQueue
* Specify where the input processor should deposit the events it reads.
* Set to "parsingQueue" to apply props.conf and other parsing rules to your data.
* Set to "indexQueue" to send your data directly into the index.
* Defaults to parsingQueue.
#*******
# Valid input types follow, with input-specific attributes listed as well:
#*******
#*******
# MONITOR:
#*******
[monitor://<path>]
* This directs Splunk to watch all files in <path>.
* <path> can be an entire directory or just a single file.
* You must specify the input type and then the path, so put three slashes in your path if you're starting at the root.
# Additional attributes:
host_regex = <regular expression>
* If specified, <regular expression> extracts host from the filename of each input.
* Specifically, the first group of the regex is used as the host.
* If the regex fails to match, the default "host =" attribute is used.
host_segment = <integer>
* If specified, the '/' separated segment of the path is set as host.
* If the value is not an integer, or is less than 1, the default "host =" attribute is used.
_whitelist = <regular expression>
* If set, files from this path are monitored only if they match the specified regex.
_blacklist = <regular expression>
* If set, files from this path are NOT monitored if they match the specified regex.
Note: Wildcards and monitor:
* You can use wildcards to specify your input path for monitored input. Use ... for paths and * for files.
* ... recurses through directories until the match is met. This means that /foo/.../bar will match foo/bar, foo/1/bar, foo/1/2/bar, etc. but only if bar is a file.
* To recurse through a subdirectory, use another .... For example /foo/.../bar/....
* * matches anything in that specific path segment. It cannot be used inside of a directory path; it must be used in the last segment of the path. For example /foo/*.log matches /foo/bar.log but not /foo/bar.txt or /foo/bar/test.log.
* Combine * and ... for more specific matches:
* foo/.../bar/* matches any file in the bar directory within the specified path.
crcSalt = <string>
* Use this to force Splunk to consume files with matching CRCs.
* Set any string to add to the CRC.
* If set to "crcSalt = <SOURCE>" (the actual string <SOURCE>), then the full source path is added to the CRC.
followTail = 0 | 1
* If set to 1, monitoring begins at the end of the file (like tail -f).
* This only applies to files the first time Splunk sees them.
* After that, Splunk's internal file position records keep track of the file.
dedicatedFD = 0 | 1
* Dedicates a file descriptor to the input.
* Only accepted if monitor path points directly to a file (as opposed to a directory) and does not use the * or ... wildcards.
* Set the available number of FDs in limits.conf.
* Make sure you don't use up all the FDs as this may cause other data to be ignored.
* WARNING: This setting can drastically affect your Splunk install, as well as the server it is running on. Do NOT set unless you know exactly what you're doing.
alwaysOpenFile = 0 | 1
* Opens a file to check if it has already been indexed.
* Only useful for files that don't update modtime.
* Should only be used for monitoring files on Windows, and mostly for IIS logs.
* NOTE: This flag should only be used as a last resort, as it increases load and slows down indexing.
#*******
# BATCH:
#*******
[batch://<path>]
* One time, destructive input.
* For continuous, non-destructive inputs, use **monitor**.
# Additional attributes:
move_policy = sinkhole.
* Important = You must set move_policy = sinkhole.
* This loads the file destructively.
* Do not use this input type for files you do not want to consume destructively.
host_regex (see MONITOR, above)
host_segment (see MONITOR, above)
# IMPORTANT: The following are not used by batch:
source = <string>
<KEY> = <string>
#*******
# TCP:
#*******
[tcp://<remote server>:<port>]
* Configure Splunk to listen on a specific port.
* If a connection is made from <remote server>, this stanza is used to configure the input.
* If <remote server> is blank, this stanza matches all connections on the specified port.
# Additional attributes:
connection_host = ip | dns
* Set to either "ip" or "dns."
* "ip" sets the TCP input processor to rewrite the host with the IP address of the remote server.
* "dns" sets the host to the DNS entry of the remote server.
* Defaults to ip.
#*******
# Data distribution:
#*******
[Splunktcp://<remote server>:<port>]
* This is the same as TCP, except the remote server is assumed to be a Splunk server.
* For SplunkTCP, the host or connection_host will be used if the remote Splunk server does not set a host, or if the host is set to host::localhost.
* See documentation (http://www.splunk.com/doc/latest/admin/ForwardingReceiving) for help.
[splunktcp]
route = has_key | absent_key:<key>:<queueName>;...
* Settings for the light forwarder.
* Splunk sets these parameters automatically -- you DO NOT need to set them.
* The property route is composed of rules delimited by ';'.
* Splunk checks each incoming data payload via cooked tcp port against the route rules.
* If a matching rule is found, Splunk sends the payload to the specified <queueName>.
* If no matching rule is found, Splunk sends the payload to the default queue
specified by any queue= for this stanza. If no queue= key is set in
the stanza or globally, the events will be sent to the parsingQueue.
# SSL settings for data distribution:
[splunktcp-ssl:PORT]
* Use this stanza name if you are sending encrypted, cooked data from Splunk.
* Set PORT to the port on which your forwarder is sending cooked, encrypted data.
* Forwarder settings are set in outputs.conf on the forwarder-side.
[tcp-ssl:PORT]
* Use this stanza name if you are sending encrypted, raw data from a third-party system.
* Set PORT to the port on which your forwarder is sending raw, encrypted data.
[SSL]
* Set the following specifications for SSL underneath this stanza name:
serverCert = <path>
* Full path to the server certificate.
password = <string>
* Server certificate password, if any.
rootCA = <string>
* Certificate authority list (root file).
requireClientCert = true | false
* Toggle whether it is required for a client to authenticate.
supportSSLV3Only = <true|false>
* If true, tells the inputproc to only accept connections
* from SSLv3 clients.
* Default is false.
cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* If not set, uses the default cipher string
* provided by OpenSSL. This is used to ensure that the server does not
* accept connections using weak encryption protocols.
#*******
# UDP:
#*******
[udp://<port>]
* Similar to TCP, except that it listens on a UDP port.
# Additional attributes:
_rcvbuf = <integer>
* Specify the receive buffer for the UDP port (in bytes).
* If the value is 0 or negative, it is ignored.
* Defaults to 1,000,000 (or 1 MB).
* Note: The default in the OS varies.
no_priority_stripping = true
* If this attribute is set to true, then Splunk does NOT strip the <priority> syslog field from received events.
* NOTE: Do NOT include this key if you want to strip <priority>.
no_appending_timestamp = true
* If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events.
* NOTE: Do NOT include this key if you want to append timestamp and host to received events.
#*******
# FIFO:
#*******
[fifo://<path>]
* This directs Splunk to read from a FIFO at the specified path.
#*******
# Scripted Input:
#*******
[script://<cmd>]
* Runs <cmd> at a configured interval (below) and indexes the output.
* The command must reside in $SPLUNK_HOME/etc/system/bin/ or ../etc/apps/$YOUR_APP/bin/.
interval = <integer>
* How often to execute the specified command (in seconds).
* Defaults to 60 seconds.
passAuth = <username>
* User to run the script under.
* If you provide a username, Splunk generates an auth token for that user and passes it to the script via stdin.
#*******
# File system change monitor
#*******
[fschange:<path>]
* Monitors all add/update/deletes to this directory and sub directories.
* NOTE: <path> is the direct path. You do not need to preface it with // like other inputs.
* Sends an event for every change.
* NOTE: You cannot simultaneously watch a directory using fs change monitor and monitor (above).
# Additional attributes:
# NOTE: fschange does not use the same attributes as other input types (above). Use only the following attributes.
filters = <filter1>,<filter2>,...<filterN>
* Each filter is applied left to right for each file or directory found during the monitor's poll cycle.
* See "File System Monitoring Filters" below for help defining a filter.
recurse = true | false
* If true, recurse directories within the directory specified in [fschange].
* Defaults to true.
followLinks = true | false
* Follow symbolic links if true.
* It is recommended that you do not set this to true or file system loops may occur.
* Defaults to false.
pollPeriod = <integer>
* Check this directory for changes every <integer> seconds.
* Defaults to 3600.
hashMaxSize = <integer>
* Calculate a SHA256 hash for every file that is less than or equal to <integer> bytes.
* This hash is used as an addional method for detecting changes to the file/directory.
* Defaults to -1 (disabled).
fullEvent = true | false
* Set to true to send the full event if an add or update change is detected.
* Further qualified by the 'sendEventMaxSize' attribute.
* Defaults to false.
sendEventMaxSize = <integer>
* Only send the full event if the size of the event is less than or equal to <integer> bytes.
* This limits the size of indexed file data.
* Defaults to -1, which is unlimited.
signedaudit = true | false
* Send cryptographically signed add/update/delete events.
* If set to true, events are *always* sent to the '_audit' index and will *always* have the sourcetype 'audittrail'.
* If set to false, events are placed in the main index and the source type is whatever you specify (or 'fs_notification' by default).
* NOTE: You MUST also enable auditing in audit.conf.
* Defaults to false.
index = <index name>
* The index to store all events generated.
* Defaults to _audit.
sourcetype = <string>
* Set the sourcetype for events from this input.
* "sourcetype=" is automatically prepended to <string>.
filesPerDelay = <integer>
* Injects a delay specified by 'delayInMills' after processing <integer> files.
* This is used to throttle file system monitoring so it doesn't consume as much CPU.
delayInMills = <integer>
* The delay in milliseconds to use after processing every <integer> files as specified in 'filesPerDelay'.
* This is used to throttle file system monitoring so it doesn't consume as much CPU.
#*******
# File system monitoring filters:
#*******
[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.
<filtertype>
* Filter types are either 'blacklist' or 'whitelist.'
* A whitelist filter processes all file names that match the regex list.
* A blacklist filter skips all file names that match the regex list.
<filtername>
* The filter name is used in the comma-separated list when defining a file system monitor.
regex<integer> = <regex>
* Blacklist and whitelist filters can include a set of regexes.
* The name of each regex MUST be 'regex<integer>', where <integer> starts at 1 and increments.
* Splunk applies each regex in numeric order:
regex1=<regex>
regex2=<regex>
...
inputs.conf.example
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0 # # This is an example inputs.conf. Use this file to configure data inputs. # # To use one or more of these configurations, copy the configuration block into # inputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to # enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork. # The following configuration directs Splunk to read all the files in the directory /var/log. [monitor:///var/log] # The following configuration directs Splunk to read all the files under /var/log/httpd and classify them # as sourcetype::access_common. [monitor:///var/log/httpd] sourcetype = access_common # The following configuration directs Splunk to read all the files under /mnt/logs. When the path is # /mnt/logs/<host>/... it sets the hostname (by file) to <host>. [monitor:///mnt/logs] host_segment = 3 # The following configuration directs Splunk to listen on TCP port 9997 for raw data from ANY remote server # (not just a Splunk instance). The host of the data is set to the IP address of the remote server. [tcp://:9997] # The following configuration directs Splunk to listen on TCP port 9995 for raw data from ANY remote server. # The host of the data is set as the host name of the remote server. All data will also be # assigned the sourcetype "log4j" and the source "tcp:9995." [tcp://:9995] connection_host = dns sourcetype = log4j source = tcp:9995 # The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10. # All data is assigned the host "webhead-1", the sourcetype "access_common" and the # the source "//10.1.1.10/var/log/apache/access.log." [tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log # The following configuration sets a global default for data payloads sent from the light forwarder. # The route parameter is an ordered set of rules that is evaluated in order for each payload of cooked data. [splunktcp] route=has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue; # The following configuration directs Splunk to listen on TCP port 9996 for distributed search data from ANY # remote server. The data is delivered directly to the indexer on the local machine without any # further processing. The host of the data is set to the host name of the remote server ONLY # IF the remote data has no host set, or if it is set to "localhost." [splunktcp://:9996] queue = indexQueue connection_host = dns # The following configuration directs Splunk to listen on TCP port 9998 for distributed search data from # 10.1.1.100. The data is processed the same as locally indexed data. [splunktcp://10.1.1.100:9996] # The following configuration directs Splunk to listen on TCP port 514 for data from # syslog.corp.company.net. The data is assigned the sourcetype "syslog" and the host # is set to the host name of the remote server. [tcp://syslog.corp.company.net:514] sourcetype = syslog connection_host = dns # Set up SSL: [SSL] serverCert=$SPLUNK_HOME/etc/auth/server.pem password=password rootCA=$SPLUNK_HOME/etc/auth/CAcert.pem requireClientCert=false [splunktcp-ssl:9996] # Use file system change monitor: [fschange:/etc/] fullEvent=true pollPeriod=60 recurse=true sendEventMaxSize=100000 index=main
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.