Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure your inputs

To add a new type of data to Splunk Enterprise, configure a data input. There are a number of ways to configure data inputs.

  • Splunk Web. You can configure most inputs using the Splunk Web data input pages. These provide a GUI-based approach to configuring inputs. You can access the Add Data landing page from Splunk Home. You can also use System to add new inputs or view and manage existing inputs. In addition, when you upload or monitor a file, Splunk Enterprise lets you preview the file and make adjustments to how Splunk Enterprise plans to index it before the data is written to the index.
  • The Splunk Command-Line Interface (CLI). Use the CLI to configure most types of inputs.
  • The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, Splunk Enterprise saves them in a configuration file, inputs.conf. You also can edit that file directly. To handle some advanced data input requirements, you might need to edit it.

In addition, if you configure forwarders to send data from outlying machines to a central indexer, you can specify some inputs at installation time. See "Use forwarders to get data in."

This topic describes how to configure data inputs yourself, using Splunk Web, the CLI, or inputs.conf.

Use Splunk Web

You can add data inputs from Splunk Home or Splunk System.

  • From Splunk Home, select Add Data. This takes you to the Add Data page, with links to recipes for a variety of data input types. See "How do you want to add data?"
  • From anywhere in Splunk Web, select System, and then select Data inputs from the Data section of the System pop-up. This takes you to a page where you can view and manage your existing inputs, as well as add new ones.

The Add Data page has three options to get data in: Upload, Monitor, and Forward. Clicking one of the icons takes you to a page that lets you define the data you want to upload, monitor, or forward.

For information on using Splunk Web to configure your inputs, look in the topics covering specific inputs later in this manual. For example, to learn how to use Splunk Web to configure network inputs, see "Get data from TCP and UDP ports."

You can configure most inputs with Splunk Web. For a small number of input types, you must edit inputs.conf directly. In addition, some advanced settings for other input types are available only through inputs.conf.

When you add an input through Splunk Web, Splunk Enterprise adds that input to a copy of inputs.conf that belongs to the app you are currently in. This has consequences that you need to consider. For example, if you navigated to Splunk System directly from the Search page and then added an input there, Splunk Enterprise adds the input to $SPLUNK_HOME/etc/apps/search/local/inputs.conf. Make sure you are in the app when you add your inputs. For information on how configuration files work, see "About configuration files."

Use the CLI

You can use the Splunk CLI to configure most inputs. Navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command from the UNIX or Windows command prompt. For example, this command adds /var/log/ as a data input:

./splunk add monitor /var/log/

If you get stuck, the Splunk CLI has built-in help. For the list of CLI commands, type:

./splunk help commands

Individual commands have their own help pages as well. To see them, type:

./splunk help <command>

For information on how to use the CLI to configure a specific input, see the topic in this manual for that input. For example, to learn how to use the CLI to configure network inputs, see: "Add a network input using the CLI."

For informaton on the CLI, see "About the CLI" and the topics that follow it in the Admin Manual.

Edit inputs.conf

To add an input by directly editing inputs.conf, add a stanza for the input. You can add the stanza to the inputs.conf file in $SPLUNK_HOME/etc/system/local/, or in your own custom application directory (in $SPLUNK_HOME/etc/apps/<app name>/local). If you have not worked with the configuration files, see "About configuration files."

Configure the data input by adding attribute/value pairs to its stanza. You can set multiple attributes in an input stanza. If you do not specify a value for an attribute, Splunk Enterprise uses the default value that is preset in $SPLUNK_HOME/etc/system/default/inputs.conf.

Following is an example of adding a network input. This configuration directs Splunk Enterprise to listen on TCP port 9995 for raw data from any remote server. Splunk Enterprise uses the DNS name of the remote server to set the host of the data. It assigns the source type log4j and the source tcp:9995 to the data.

[tcp://:9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995

For information on how to configure a specific input, see the topic in this manual for that input. For example, to learn how to configure file inputs, see Edit inputs.conf.

The topic for each data input describes the main attributes available for that input. However, refer to the inputs.conf spec file, located inputs.conf, for the list of available attributes. The spec file contains descriptions of the attributes. There is also a file that contains several examples.

About source types

As part of the input process, Splunk Enterprise assigns a source type to the data. The source type identifies the format of the data. Splunk Enterprise uses the source type during indexing to format events correctly. It usually knows what source type to assign. For instance, syslog data gets a source type of "syslog". If you are not happy with the source type Splunk Enterprise assigns to a particular input, you can substitute a different source type -- either one of the predefined source types or one that you create yourself. You set the source type at the time you configure the input, using any of the configuration methods described in this topic.

For information on source types, see "Why source types matter." The topic "Override automatic source type assignment" describes source type assignment options.

To learn how to set the source type on a per-event basis, see "Advanced source type overrides."

PREVIOUS
Use apps to get data in
  NEXT
How Splunk Enterprise handles your data

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters