inputs.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
inputs.conf
The following are the spec and example files for inputs.conf.
inputs.conf.spec
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.2.2
# This file contains possible attributes and values you can use to configure inputs,
# distributed inputs such as forwarders, and file system monitoring in inputs.conf.
#
# There is an inputs.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations,
# place an inputs.conf in $SPLUNK_HOME/etc/system/local/. For examples, see inputs.conf.example.
# You must restart Splunk to enable new configurations.
#
# To learn more about configuration files (including precedence), see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles
#
#*******
# GENERAL SETTINGS:
# The following attribute/value pairs are valid for all input types (except file
# system change monitor, which is described in a separate section in this file).
# You must first enter a stanza header in square brackets, specifying the input type.
# See further down in this file for examples.
# Then, use any of the following attribute/value pairs.
#*******
host = <string>
* Sets the host key/field to a static value for this stanza.
* Primarily used to control the host field, which will be used for events coming in
via this input stanza.
* Detail: Sets the host key's initial value. The key is used during parsing/indexing,
in particular to set the host field. It is also the host field used at search time.
* As a convenience, the chosen string is prepended with 'host::'.
* If not set explicitly, this defaults to the IP address or fully qualified
domain name of the host where the data originated.
index = <string>
* Sets the index to store events from this input.
* Primarily used to specify the index to store events coming in via this input stanza.
* Detail: Sets the index key's initial value. The key is used when selecting an
index to store the events.
* Defaults to "main" (or whatever you have set as your default index).
source = <string>
* Sets the source key/field for events from this input.
* NOTE: Overriding the source key is generally not recommended. Typically, the
input layer will provide a more accurate string to aid in problem
analysis and investigation, accurately recording the file from which the data
was retreived. Please consider use of source types, tagging, and search
wildcards before overriding this value.
* Detail: Sets the source key's initial value. The key is used during
parsing/indexing, in particular to set the source field during
indexing. It is also the source field used at search time.
* As a convenience, the chosen string is prepended with 'source::'.
* Defaults to the input file path.
sourcetype = <string>
* Sets the sourcetype key/field for events from this input.
* Primarily used to explicitly declare the source type for this data, as opposed
to allowing it to be determined via automated methods. This is typically
important both for searchability and for applying the relevant configuration for this
type of data during parsing and indexing.
* Detail: Sets the sourcetype key's initial value. The key is used during
parsing/indexing, in particular to set the source type field during
indexing. It is also the source type field used at search time.
* As a convenience, the chosen string is prepended with 'sourcetype::'.
* If unset, Splunk picks a source type based on various aspects of the data.
There is no hard-coded default.
queue = [parsingQueue|indexQueue]
* Specifies where the input processor should deposit the events it reads.
* Set queue to "parsingQueue" to apply props.conf and other parsing rules to your data.
For more information about props.conf and rules for timestamping and linebreaking, refer
to props.conf and the online documentation at http://www.splunk.com/base/Documentation.
* Set queue to "indexQueue" to send your data directly into the index.
* Defaults to parsingQueue.
# ***********
# This section contains options for routing data using inputs.conf rather than outputs.conf.
# Note concerning routing via inputs.conf:
# This is a simplified set of routing options you can use as data is coming in.
# For more flexible options or details on configuring required or optional settings, refer to
# outputs.conf.spec.
_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...
* Comma-separated list of tcpout group names.
* Using this, you can selectively forward the data to specific indexer(s).
* Specify the tcpout group the forwarder should use when forwarding the data.
The tcpout group names are defined in outputs.conf with [tcpout:<tcpout_group_name>].
* Defaults to groups specified in "defaultGroup" in [tcpout] stanza in outputs.conf.
_SYSLOG_ROUTING = <syslog_group_name>,<syslog_group_name>,<syslog_group_name>, ...
* Comma-separated list of syslog group names.
* Using this, you can selectively forward the data to specific destinations as syslog events.
* Specify the syslog group to use when forwarding the data.
The syslog group names are defined in outputs.conf with [syslog:<syslog_group_name>].
* Defaults to groups present in "defaultGroup" in [syslog] stanza in outputs.conf.
* The destination host must be configured in outputs.conf, using "server=[<ip>|<servername>]:<port>".
_HTTP_ROUTING = <http_group_name>,<http_group_name>,<http_group_name>, ...
* Comma-separated list of http group names.
* Using this, you can selectively forward the data to specific destinations via http.
* Specify the http group to use when forwarding the data.
The http group names are defined in outputs.conf with [httpoutput:<http_group_name>].
* Defaults to groups present in "defaultGroup" in [httpoutput] stanza in outputs.conf.
* The username, password, and server must be configured in outputs.conf.
#*******
# Valid input types follow, along with their input-specific attributes:
#*******
#*******
# MONITOR:
#*******
[monitor://<path>]
* This directs Splunk to watch all files in <path>.
* <path> can be an entire directory or just a single file.
* You must specify the input type and then the path, so put three slashes in your path
if you're starting at the root (to include the slash that goes before the root directory).
# Additional attributes:
host_regex = <regular expression>
* If specified, <regular expression> extracts host from the path to the file for each
input file.
* Detail: This feature examines the source key, so if source is set
explicitly in the stanza, that string will be matched, not the original filename.
* Specifically, the first group of the regex is used as the host.
* If the regex fails to match, the default "host =" attribute is used.
* If host_regex and host_segment are both set, host_regex will be ignored.
* Defaults to unset.
host_segment = <integer>
* If specified, the "/" separated segment of the path is set as host. If host_segment=3,
for example, the third segment is used.
* If the value is not an integer or is less than 1, the default "host =" attribute is used.
* Defaults to unset.
whitelist = <regular expression>
* If set, files from this path are monitored only if they match the specified regex.
* Takes precedence over the deprecated _whitelist attribute, which functions the same way.
blacklist = <regular expression>
* If set, files from this path are NOT monitored if they match the specified regex.
* Takes precedence over the deprecated _blacklist attribute, which functions the same way.
Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input. Use "..." for
recursive directory matching and "*" for wildcard matching in a single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will match foo/bar, foo/1/bar,
foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it does not recurse.
For example, /foo/*/bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, etc.
However, it does not match /foo/1/2/bar .
A second example: /foo/m*r/bar matches /foo/bar, /foo/mr/bar, /foo/mir/bar, /foo/moor/bar, etc.
* You can combine "*" and "..." as required: foo/.../bar/* matches any file in the bar directory
within the specified path.
crcSalt = <string>
* Use this setting to force Splunk to consume files that have matching CRCs (cyclic redundancy
checks).(Splunk only performs CRC checks against the first few lines of a file. This behavior
prevents Splunk from indexing the same file twice, even though you may have renamed it -- as,
for example, with rolling log files. However, because the CRC is based on only the first few
lines of the file, it is possible for legitimately different files to have matching CRCs,
particularly if they have identical headers.)
* If set, <string> is added to the CRC.
* If set to the literal string <SOURCE> (including the angle brackets), the full directory
path to the source file is added to the CRC. This ensures that each file being monitored has a
unique CRC. When crcSalt is invoked, it is usually set to <SOURCE>.
* Be cautious about using this attribute with rolling log files; it could lead to the log file
being re-indexed after it has rolled.
* Defaults to empty.
ignoreOlderThan = <time window>
* Causes the monitored input to stop checking files for updates if their modtime has passed this
threshold. This improves the speed of file tracking operations when monitoring directory
hierarchies with large numbers of historical files (for example, when active log files are
colocated with old files that are no longer being written to).
* A file whose modtime falls outside this time window when seen for the first time will not be
indexed at all.
* Value must be: <number><unit> (e.g., 7d is one week). Valid units are d (days),
m (minutes), and s (seconds).
* Default: disabled.
followTail = [0|1]
* Determines whether to start monitoring at the beginning of a file or at the end (and then
index all events that come in after that).
* If set to 1, monitoring begins at the end of the file (like tail -f).
* If set to 0, Splunk will always start at the beginning of the file.
* This only applies to files the first time Splunk sees them. After that, Splunk's internal
file position records keep track of the file.
* Defaults to 0.
alwaysOpenFile = [0|1]
* Opens a file to check whether it has already been indexed.
* Only useful for files that don't update modtime.
* Only needed when monitoring files on Windows, mostly for IIS logs.
* This flag should only be used as a last resort, as it increases load and slows down indexing.
* Defaults to 0.
time_before_close = <integer>
* Modtime delta required before Splunk can close a file on EOF.
* Tells the system not to close files that have been updated in past <integer> seconds.
* Defaults to 3.
recursive = [true|false]
* If false, Splunk will not monitor subdirectories found within a monitored directory.
* Defaults to true.
followSymlink = [true|false]
* If false, Splunk will ignore symbolic links found within a monitored directory.
* Defaults to true.
_whitelist = ...
* This setting is deprecated. It is still honored, unless "whitelist" attribute also exists.
_blacklist = ...
* This setting is deprecated. It is still honored, unless "blacklist" attribute also exists.
dedicatedFD = ...
* This setting has been removed. It is no longer needed.
#****************************************
# BATCH ("Upload a file" in Splunk Web):
#****************************************
NOTE: Batch should only be used for large archives of historic data. If you want to continuously
monitor a directory or index small archives, use monitor (see above). Batch reads in the file
and indexes it, and then deletes the file from the Splunk instance.
[batch://<path>]
* One time, destructive input of files in <path>.
* For continuous, non-destructive inputs of files, use monitor instead.
# Additional attributes:
move_policy = sinkhole
* IMPORTANT: This attribute/value pair is required. You *must* include "move_policy = sinkhole"
when defining batch inputs.
* This loads the file destructively.
* Do not use the batch input type for files you do not want to consume destructively.
host_regex = see MONITOR, above.
host_segment = see MONITOR, above.
crcSalt = see MONITOR, above.
# IMPORTANT: The following attribute is not used by batch:
# source = <string>
#*******
# TCP:
#*******
[tcp://<remote server>:<port>]
* Configure Splunk to listen on a specific port.
* If a connection is made from <remote server>, this stanza is used to configure the input.
* If <remote server> is empty, this stanza matches all connections on the specified port.
* Will generate events with source set to tcp:portnumber, for example: tcp:514
* If sourcetype is unspecified, will generate events with set sourcetype to tcp-raw.
# Additional attributes:
connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.
* Defaults to "dns".
queueSize = <integer>[KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.
persistentQueueSize = <integer>[KB|MB|GB|TB]
* Maximum size of the persistent queue file.
* Defaults to 0 (no persistent queue).
* Persistent queues can help prevent loss of transient data. For information on persistent queues
and how the queueSize and persistentQueueSize settings interact, see the online documentation.
#*******
# Data distribution:
#*******
# Global settings for splunktcp. Used on the receiving side for data forwarded from a forwarder.
[splunktcp]
route = [has_key|absent_key:<key>:<queueName>;...]
* Settings for the light forwarder.
* Splunk sets these parameters automatically -- you DO NOT need to set them.
* The property route is composed of rules delimited by ';'.
* Splunk checks each incoming data payload via cooked tcp port against the route rules.
* If a matching rule is found, Splunk sends the payload to the specified <queueName>.
* If no matching rule is found, Splunk sends the payload to the default queue
specified by any queue= for this stanza. If no queue= key is set in
the stanza or globally, the events will be sent to the parsingQueue.
compressed = [true|false]
* Specifies whether receiving compressed data.
* If set to true, the forwarder port(s) should also have compression turned on; otherwise, the
receiver will reject the connection.
* Defaults to false.
enableS2SHeartbeat = [true|false]
* This specifies the global keepalive setting for all splunktcp ports.
* This option is used to detect forwarders which may have become unavailable due to network,
firewall, etc., problems.
* Splunk will monitor each connection for presence of heartbeat, and if the heartbeat is not seen for
s2sHeartbeatTimeout seconds, it will close the connection.
* Defaults to true (heartbeat monitoring enabled).
s2sHeartbeatTimeout = <seconds>
* This specifies the global timeout value for monitoring heartbeats.
* Splunk will will close a forwarder connection if heartbeat is not seen for s2sHeartbeatTimeout seconds.
* Defaults to 600 seconds (10 minutes).
inputShutdownTimeout = <seconds>
* Used during shutdown to minimize data loss when forwarders are connected to a receiver.
During shutdown, the tcp input processor waits for the specified number of seconds and then
closes any remaining open connections. If, however, all connections close before the end of
the timeout period, shutdown proceeds immediately, without waiting for the timeout.
# Forwarder-specific settings for splunktcp.
[splunktcp://<remote server>:<port>]
* This input stanza is used with Splunk instances receiving data from forwarders ("receivers").
See the topic http://www.splunk.com/doc/latest/deploy/Aboutforwardingandreceivingdata for
more information.
* This is the same as TCP, except the remote server is assumed to be a Splunk instance, most
likely a forwarder.
* For SplunkTCP, the host or connection_host will be used if the remote Splunk instance does
not set a host, or if the host is set to "<host>::<localhost>".
enableS2SHeartbeat = [true|false]
* This specifies the keepalive setting for the splunktcp port.
* This option is used to detect forwarders which may have become unavailable due to network,
firewall, etc., problems.
* Splunk will monitor the connection for presence of heartbeat, and if the heartbeat is not seen for
s2sHeartbeatTimeout seconds, it will close the connection.
* This overrides the default value specified at the global [splunktcp] stanza.
* Defaults to true (heartbeat monitoring enabled).
s2sHeartbeatTimeout = <seconds>
* This specifies the timeout value for monitoring heartbeats.
* Splunk will will close the forwarder connection if heartbeat is not seen for s2sHeartbeatTimeout
seconds.
* This overrides the default value specified at global [splunktcp] stanza.
* Defaults to 600 seconds (10 minutes).
queueSize = <integer>[KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.
# SSL settings for data distribution:
[splunktcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, parsed data from a forwarder.
* Set <port> to the port on which the forwarder is sending the encrypted data.
* Forwarder settings are set in outputs.conf on the forwarder.
enableS2SHeartbeat = true|false
* See comments for [splunktcp:<port>].
s2sHeartbeatTimeout = <seconds>
* See comments for [splunktcp:<port>].
compressed = [true|false]
* Specifies whether receiving compressed data.
* If set to true, the forwarder port must also have compression turned on.
* Defaults to false.
[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or
third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending unparsed,
encrypted data.
[SSL]
* Set the following specifications for SSL underneath this stanza name:
serverCert = <path>
* Full path to the server certificate.
password = <string>
* Server certificate password, if any.
rootCA = <string>
* Certificate authority list (root file).
requireClientCert = [true|false]
* Determines whether a client must authenticate.
* Defaults to false.
supportSSLV3Only = [true|false]
* If true, tells the inputproc to accept connections only from SSLv3 clients.
* Defaults to false.
cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* If not set, the default cipher string is used.
* Provided by OpenSSL. This is used to ensure that the server does not
accept connections using weak encryption protocols.
#*******
# UDP:
#*******
[udp://<remote server>:<port>]
* Similar to TCP, except that it listens on a UDP port.
* Configure Splunk to listen on a specific port.
* If <remote server> is specified, the specified port will only accept data from that server.
* If <remote server> is empty - [udp://<port>] - the port will accept data sent from
any server.
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber .
# Additional attributes:
connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.
* Defaults to "ip".
_rcvbuf = <integer>
* Specifies the receive buffer for the UDP port (in bytes).
* If the value is 0 or negative, it is ignored.
* Defaults to 1,572,864.
* Note: If the default value is too large for an OS, Splunk will try to set the value to 1572864/2.
If that value also fails, Splunk will retry with 1572864/(2*2). It will continue to retry by
halving the value until it succeeds.
no_priority_stripping = [true|false]
* Setting for receiving syslog data.
* If this attribute is set to true, Splunk does NOT strip the <priority> syslog field
from received events.
* NOTE: Do NOT include this attribute if you want to strip <priority>.
* Default is false.
no_appending_timestamp = [true|false]
* If this attribute is set to true, Splunk does NOT append a timestamp and host to received events.
* NOTE: Do NOT include this attribute if you want to append timestamp and host to received events.
* Default is false.
queueSize = <integer>[KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.
persistentQueueSize = <integer>[KB|MB|GB|TB]
* Maximum size of the persistent queue file.
* Defaults to 0 (no persistent queue).
* Persistent queues can help prevent loss of transient data. For information on persistent queues
and how the queueSize and persistentQueueSize settings interact, see the online documentation.
#*******
# FIFO:
#*******
[fifo://<path>]
* This directs Splunk to read from a FIFO at the specified path.
queueSize = <integer>[KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.
persistentQueueSize = <integer>[KB|MB|GB|TB]
* Maximum size of the persistent queue file.
* Defaults to 0 (no persistent queue).
* Persistent queues can help prevent loss of transient data. For information on persistent queues
and how the queueSize and persistentQueueSize settings interact, see the online documentation.
#*******
# Scripted Input:
#*******
[script://<cmd>]
* Runs <cmd> at a configured interval (see below) and indexes the output.
* The <cmd> must reside in one of
* $SPLUNK_HOME/etc/system/bin/
* $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/
* $SPLUNK_HOME/bin/scripts/
* Splunk on Windows ships with several Windows-only scripted inputs. Check towards the end of
the inputs.conf.example for examples of the stanzas for specific Windows scripted inputs that
you must add to your
local inputs.conf file.
* <cmd> can also be a path to a file that ends with a ".path" suffix. A file with this
suffix is a special type of pointer file that points to a command to be executed. Although
the pointer file is bound by the same location restrictions mentioned above, the command referenced
inside it can reside anywhere on the file system.
This file must contain exactly one line: the path to the command to execute, optionally followed by
command line arguments. Additional empty lines and lines that begin with '#' are also
permitted and will be ignored.
interval = [<integer>|<cron schedule>]
* How often to execute the specified command (in seconds), or a valid cron schedule.
* NOTE: when a cron schedule is specified, the script is not executed on start-up.
* Defaults to 60 seconds.
passAuth = <username>
* User to run the script as.
* If you provide a username, Splunk generates an auth token for that user and passes it to the
script via stdin.
queueSize = <integer>[KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.
persistentQueueSize = <integer>[KB|MB|GB|TB]
* Maximum size of the persistent queue file.
* Defaults to 0 (no persistent queue).
* Persistent queues can help prevent loss of transient data. For information on persistent
queues and how the queueSize and persistentQueueSize settings interact, see the online
documentation.
#*******
# File system change monitor (fschange monitor)
#*******
NOTE: You cannot simultaneously watch a directory using both fschange monitor and monitor
(described above).
[fschange:<path>]
* Monitors all add/update/deletes to this directory and its subdirectories.
* NOTE: <path> is the direct path. You do not need to preface it with // like other inputs.
* Sends an event for every change.
# Additional attributes:
# NOTE: fschange does not use the same attributes as other input types (described above).
Use only the following attributes:
index = <indexname>
* The index in which to store all generated events.
* Defaults to _audit, unless you do not set signedaudit (below) or set signedaudit = false, in
which case events go into the default index.
signedaudit = [true|false]
* Send cryptographically signed add/update/delete events.
* If set to true, events are *always* sent to the _audit index and will *always* have the
source type "audittrail".
* If set to false, events are placed in the default index and the source type is whatever
you specify (or "fs_notification" by default).
* You must set signedaudit to false if you want to set the index.
* NOTE: You must also enable auditing in audit.conf.
* Defaults to false.
filters = <filter1>,<filter2>,...
* Each filter is applied left to right for each file or directory found during the monitor's
poll cycle.
* See "File System Monitoring Filters" below for help defining a filter.
recurse = [true|false]
* If true, recurse directories within the directory specified in [fschange].
* Defaults to true.
followLinks = [true|false]
* If true, follow symbolic links.
* It is recommended that you do not set this to true; file system loops can occur.
* Defaults to false.
pollPeriod = <integer>
* Check this directory for changes every <integer> seconds.
* Defaults to 3600 seconds (1 hour).
hashMaxSize = <integer>
* Calculate a SHA256 hash for every file that is less than or equal to <integer> bytes.
* This hash is used as an additional method for detecting changes to the file/directory.
* Defaults to -1 (disabled).
fullEvent = [true|false]
* Set to true to send the full event if an add or update change is detected.
* Further qualified by the sendEventMaxSize attribute.
* Defaults to false.
sendEventMaxSize = <integer>
* Only send the full event if the size of the event is less than or equal to <integer> bytes.
* This limits the size of indexed file data.
* Defaults to -1, which is unlimited.
sourcetype = <string>
* Set the source type for events from this input.
* "sourcetype=" is automatically prepended to <string>.
* Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).
host = <string>
* Set the host for events from this input.
* Defaults to whatever host sent the event.
index = <string>
* Set the index for events from this input.
* Defaults to the main index.
filesPerDelay = <integer>
* Injects a delay specified by delayInMills after processing <integer> files.
* This is used to throttle file system monitoring so it doesn't consume as much CPU.
* Defaults to 10.
delayInMills = <integer>
* The delay in milliseconds to use after processing every <integer> files, as specified
in filesPerDelay.
* This is used to throttle file system monitoring so it doesn't consume as much CPU.
* Defaults to 100.
#*******
# File system monitoring filters:
#*******
[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.
* <filtertype>:
* Filter types are either 'blacklist' or 'whitelist.'
* A whitelist filter processes all file names that match the regex list.
* A blacklist filter skips all file names that match the regex list.
* <filtername>
* The filter name is used in the comma-separated list when defining a file system monitor.
regex<integer> = <regex>
* Blacklist and whitelist filters can include a set of regexes.
* The name of each regex MUST be 'regex<integer>', where <integer> starts at
1 and increments.
* Splunk applies each regex in numeric order:
regex1=<regex>
regex2=<regex>
...
#*******
# WINDOWS INPUTS:
#*******
* Windows platform specific input processor.
* Security, Application, System are enabled by default. To disable an input type,
comment it out or set disabled = 1 in $SPLUNK_HOME\etc\apps\windows\local\inputs.conf
* You can configure Splunk to read other Windows event logs as well, but you must
import them to the Windows Event Viewer first, and then add them to your local
copy of inputs.conf (in $SPLUNK_HOME\etc\apps\windows\local\inputs.conf).
Just use the same format as the ones shown below [WinEventLog:<event log name>]
and the attribute/value pair "disabled=0".
[WinEventLog:<Log Name>]
* Define a Windows Event Log to monitor.
disabled = [1|0]
* Enable (0) or disable (1) this input.
start_from = <string> [oldest|newest]
* Oldest - Start reading Windows Event Log chronologically from oldest to newest.
* Newest - Start reading Windows Event Log in reverse, from newest to oldest. Once the
backlog of events is consumed, Splunk will start picking up the newest events.
current_only = [1|0]
* If set to 1, it emulates tail and only monitors events that arrive after you define this input.
* If set to 0, it will first get all existing events in the log and then monitor events coming
in real time.
checkpointInterval = <seconds>
* Sets how frequently the Windows Event Log checkpoint will be saved.
* The default value is 5.
evt_resolve_ad_obj = [1|0]
* Enables (1)/disables (0) resolving looking up Active Directory objects like GUID/SID objects for a
specific Windows Event Log channel.
* By default, this option is enabled (1) for Security Event Logs.
* Optionally, you can specify the Domain Controller name and/or DNS name of the domain to bind to,
which Splunk will then use to resolve the AD objects.
evt_dc_name = <string>
* Optional. This parameter can be left empty.
* Domain Controller Name to bind to.
* This name can be the name of the domain controller or the fully-qualified DNS name of the domain
controller. Either name type can, optionally, be preceded by two backslash characters. The following
examples represent correctly formatted domain controller names:
* "FTW-DC-01"
* "\\FTW-DC-01"
* "FTW-DC-01.splunk.com"
* "\\FTW-DC-01.splunk.com"
evt_dns_name = <string>
* Optional. This parameter can be left empty.
* Fully-qualified DNS name of the domain to bind to.
# ***********
# Splunk for Windows ships with several Windows-only scripted inputs. They are defined in the
default inputs.conf.
* This is a list of the Windows scripted input stanzas:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
* By default, some of the scripted inputs are enabled and others are disabled.
* Use the "disabled=" parameter to enable/disable any of them.
* Here's a short summary of the inputs:
* WMI: It retrieves events logs remotely and locally. It can also gather
performance data, as well as receive various system notifications.
* RegMon: It uses a driver to track and report any changes that occur in the
local system registry.
* ADMon: It indexes existing AD object and listens for AD changes.
* PerfMon: It retrieves performance data.
inputs.conf.example
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.2.2 # # This is an example inputs.conf. Use this file to configure data inputs. # # To use one or more of these configurations, copy the configuration block into # inputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to # enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles # The following configuration directs Splunk to read all the files in the directory /var/log. [monitor:///var/log] # The following configuration directs Splunk to read all the files under /var/log/httpd and # classify them as sourcetype::access_common. When checking a file for new data, if the file's # modtime is from before seven days ago, the file will no longer be checked for changes. [monitor:///var/log/httpd] sourcetype = access_common ignoreOlderThan = 7d # The following configuration directs Splunk to read all the files under /mnt/logs. When the path is # /mnt/logs/<host>/... it sets the hostname (by file) to <host>. [monitor:///mnt/logs] host_segment = 3 # The following configuration directs Splunk to listen on TCP port 9997 for raw data from ANY # remote server (not just a Splunk instance). The host of the data is set to the IP address # of the remote server. [tcp://:9997] # The following configuration directs Splunk to listen on TCP port 9995 for raw data from ANY # remote server. The host of the data is set as the host name of the remote server. # All data will also be assigned the sourcetype "log4j" and the source "tcp:9995". [tcp://:9995] connection_host = dns sourcetype = log4j source = tcp:9995 # The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10. # All data is assigned the host "webhead-1", the sourcetype "access_common" and the # the source "//10.1.1.10/var/log/apache/access.log". [tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log # The following configuration sets a global default for data payloads sent from the light forwarder. # The route parameter is an ordered set of rules that is evaluated in order for each payload of # cooked data. [splunktcp] route=has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue; # The following configuration directs Splunk to listen on TCP port 9996 for # splunk cooked event data from ANY splunk forwarder. # The host of the data is set to the host name of the remote server ONLY IF the # remote data has no host set, or if it is set to "localhost". [splunktcp://:9996] connection_host = dns # The following configuration directs Splunk to listen on TCP port 9998 for distributed search data from # 10.1.1.100. The data is processed the same as locally indexed data. [splunktcp://10.1.1.100:9996] # The following configuration directs Splunk to listen on TCP port 514 for data from # syslog.corp.company.net. The data is assigned the sourcetype "syslog" and the host # is set to the host name of the remote server. [tcp://syslog.corp.company.net:514] sourcetype = syslog connection_host = dns # Set up SSL: [SSL] serverCert=$SPLUNK_HOME/etc/auth/server.pem password=password rootCA=$SPLUNK_HOME/etc/auth/cacert.pem requireClientCert=false [splunktcp-ssl:9996] # Enable Windows Registry monitoring (Windows only) # This example shows how to enable Windows Registry monitoring as a scripted input. # Because the Windows Registry can generate a high volume of events, Windows Registry monitoring # is also affected by two other configuration files, sysmon.conf and regmon.conf: # * sysmon.conf contains global settings for which event types (adds, deletes, renames, and so on) # to monitor, which regular expression filters from the regmon-filters.conf file to use, and # whether or not Windows registry events are monitored at all. # * regmon-filters.conf contains the specific regular expressions you create to refine and filter # the hive key paths you want Splunk to monitor. # Splunk recommends that you refer to the documentation about Windows Registry monitoring at # http://www.splunk.com/base for more details. # You must make the change shown below in inputs.conf in $SPLUNK_HOME/etc/system/local/. # You must restart Splunk to enable configurations. [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] interval = 60 sourcetype = WinRegistry source = WinRegistry disabled = 0 # Enable WMI input (Windows only) # This example shows how to enable WMI input as a scripted input. # WMI input is also affected by configurations in wmi.conf. # Splunk recommends that you refer to the documentation about WMI input at http://www.splunk.com/base # for more details. # You must make this change in inputs.conf in $SPLUNK_HOME/etc/apps/windows/local/. # You must restart Splunk to enable configurations. [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 # Use file system change monitor: [fschange:/etc/] fullEvent=true pollPeriod=60 recurse=true sendEventMaxSize=100000 index=main # Monitor Windows event logs Security: [WinEventLog:Security] disabled = 0 start_from = oldest current_only = 0 evt_dc_name = evt_dns_name = evt_resolve_ad_obj = 1 checkpointInterval = 5 # Monitor Windows event logs ForwardedEvents: [WinEventLog:ForwardedEvents] disabled = 0 start_from = newest current_only = 1 checkpointInterval = 5 [tcp://9994] queueSize=50KB persistentQueueSize=100MB
This documentation applies to the following versions of Splunk: 4.2.2 View the Article History for its revisions.