Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure your inputs

To add a new type of data to Splunk, you first need to tell it a few things about the data. You do this by configuring a data input. There are a number of ways to configure your inputs:

  • Apps. Splunk has a large and growing variety of apps that offer preconfigured inputs for various types of data. Take advantage of Splunk apps and free yourself from having to configure the inputs yourself. For more information, see "Use apps".
  • Splunk Web You can configure most inputs using the Splunk Web data input pages. These provide a GUI-based approach to configuring inputs. You can access the Add Data landing page from Splunk Home. You can also use Manager to add new inputs or view and manage existing inputs. In addition, Splunk Web's data preview feature makes it easy to see how Splunk intends to index your data and to make adjustments before the data actually gets written to the index.
  • Splunk's CLI. You can use the CLI to configure most types of inputs.
  • inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the configurations get saved in a configuration file, inputs.conf. You can edit that file directly, if you prefer. To handle some advanced data input requirements, you might need to edit it.

In addition, if you are configuring forwarders to send data from outlying machines to a central indexer, you can specify some inputs at installation time. See "Use forwarders".

This topic describes how to configure data inputs yourself, using Splunk Web, the CLI, or inputs.conf.

Use Splunk Web

You can add data inputs from Splunk Home or Splunk Manager:

  • From Splunk Home, select Add Data. This takes you to the Add Data page, with links to recipes for a wide variety of data input types. This is the easiest way to start adding inputs.
  • From anywhere in Splunk Web, select Manager. Then select Data inputs from the Data section of the Manager page. This takes you to a page where you can view and manage your existing inputs, as well as add new ones.

The Add Data page contains two groups of links. The first group contains links for some common data types, with recipes to get you going. The second group contains links to all the types of inputs that you can configure.

If you're just starting out, look in the first group of links to see if there's a data type that matches your needs. For example, if you click on Syslog, you'll go to a page with information on the different types of syslog data and links to recipes for each type. Or click on Apache logs for specific recipes for that data type.

For more information on using Splunk Web to configure your inputs, look in the topics covering specific inputs later in this manual. For example, to learn how to use Splunk Web to configure network inputs, look here: "Get data from TCP and UDP ports". You can configure most inputs with Splunk Web. For a small number of input types, such as file system change monitoring, you'll need to edit inputs.conf directly. In addition, some advanced settings for other input types are available only through inputs.conf.

Important: When you add an input through Splunk Web, Splunk adds that input to a copy of inputs.conf that belongs to the app you're currently in. This has consequences that you need to consider. For example, if you navigated to Splunk Manager directly from the Search page and then added an input there, your input will be added to $SPLUNK_HOME/etc/apps/search/local/inputs.conf. Make sure you're in the desired app when you add your inputs. For background on how configuration files work, read "About configuration files".

Use the CLI

You can use the Splunk CLI to configure most inputs. Navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command from the UNIX or Windows command prompt. For example, this command adds /var/log/ as a data input:

./splunk add monitor /var/log/

If you get stuck, Splunk's CLI has built-in help. For the list of CLI commands, type:

./splunk help commands
Individual commands have their own help pages as well. To see them, type:
./splunk help <command>

For information on how to use the CLI to configure a specific input, read the topic in this manual for that input. For example, to learn how to use the CLI to configure network inputs, look here: "Add a network input using the CLI".

For general informaton on the CLI, read "About the CLI" and the topics that follow it in the Admin manual.

Edit inputs.conf

To add an input by directly editing inputs.conf, add a stanza for the input. You can add the stanza to the inputs.conf file in $SPLUNK_HOME/etc/system/local/, or in your own custom application directory (in $SPLUNK_HOME/etc/apps/<app name>/local). If you have not worked with Splunk's configuration files before, read "About configuration files" before you begin.

You configure the data input by adding attribute/value pairs to its stanza. You can set multiple attributes in an input stanza. If you do not specify a value for an attribute, Splunk uses the default value that's preset in $SPLUNK_HOME/etc/system/default/inputs.conf.

Here's a simple example of adding a network input. This configuration directs Splunk to listen on TCP port 9995 for raw data from any remote server. The host of the data is set as the DNS name of the remote server. All data will also be assigned the source type "log4j" and the source "tcp:9995".

[tcp://:9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995

For information on how to configure a specific input, read the topic in this manual for that input. For example, to learn how to configure file inputs, look here.

The topic for each data input describes the main attributes available for that input. However, you should always refer to the inputs.conf spec file, located here, for the complete list of available attributes. The spec file contains detailed descriptions of the attributes. It's followed by a file containing several examples.

A word about source types

As part of the input process, Splunk assigns a source type to the data. The source type identifies the format of the data. Splunk uses the source type during indexing to format events correctly. It usually knows what source type to assign. For instance, syslog data gets a source type of "syslog". If you're not happy with the source type Splunk assigns to a particular input, you can substitute a different source type -- either one of the predefined source types or one that you create yourself. You set the source type at the time you configure the input, using any of the configuration methods described in this topic.

For more information on source types, see "Why source types matter". The topic "Override automatic source type assignment" describes source type assignment options in detail.

To learn how to set the source type on a per-event basis, see "Advanced source type overrides".

You can use Splunk Web's data preview feature to help you assign the right source type to your data. You can also use it to edit source type settings and create a new source type entirely. See "Data preview and source types" for details.

PREVIOUS
How to get going
  NEXT
About Windows data and Splunk

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters