What data can I index?
Splunk Enterprise can index any kind of data. In particular, any and all IT streaming, machine, and historical data, such as Windows event logs, web server logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, and so on.
How do I get data in?
To get data into your Splunk deployment, point it at a data source. Tell it a bit about the source. That source then becomes a data input. Splunk Enterprise indexes the data stream and transforms it into a series of events. You can view and search those events right away. If the results aren't exactly what you want, you can tweak the indexing process until they are.
If you have Splunk Enterprise, the data can be on the same machine as an indexer (local data) or on another machine (remote data). If you have Splunk Cloud, the data resides in your corporate network and you send it to your Splunk Cloud deployment. You can get remote data into your Splunk deployment using network feeds or by installing Splunk forwarders on the hosts where the data originates. For more information on local vs. remote data, see Where is my data?
Splunk offers apps and add-ons, with pre-configured inputs for things like Windows- or Linux-specific data sources, Cisco security data, Blue Coat data, and so on. Look on Splunkbase for an app or add-on that fits your needs. Splunk Enterprise also comes with dozens of recipes for data sources like web server logs, Java 2 Platform, Enterprise Edition (J2EE) logs, or Windows performance metrics. You can get to these from the Add data page in Splunk Web. If the recipes and apps don't cover your needs, then you can use the general input configuration capabilities to specify your particular data source.
For more information on how to configure data inputs, see Configure your inputs.
Types of data sources
Splunk provides tools to configure many kinds of data inputs, including those that are specific to particular application needs. Splunk also provides the tools to configure any arbitrary data input types. In general, you can categorize Splunk inputs as follows:
- Files and directories
- Network events
- Windows sources
- Other sources
Files and directories
A lot of data comes directly from files and directories. You can use the files and directories monitor input processor to get data from files and directories.
To monitor files and directories, see Get data from files and directories.
Splunk Enterprise can index data from any network port, for example, remote data from
syslog-ng or any other application that transmits over the TCP protocol. It can also index UDP data, but you should use TCP instead whenever possible for enhanced reliability.
Splunk Enterprise can also receive and index SNMP events, alerts fired off by remote devices.
To get data from network ports, see Get data from TCP and UDP ports in this manual.
To get SNMP data, see Send SNMP events to your Splunk deployment in this manual.
Splunk Cloud and the Windows version of Splunk Enterprise accept a wide range of Windows-specific inputs. Splunk Web lets you configure the following Windows-specific input types:
- Windows Event Log data
- Windows Registry data
- WMI data
- Active Directory data
- Performance monitoring data
To index and search Windows data on a non-Windows instance of Splunk Enterprise, you must first use a Windows instance to gather the data. See Considerations for deciding how to monitor remote Windows data.
For a more detailed introduction to using Windows data in Splunk Enterprise, see Monitoring Windows data in this manual.
Other data sources
Splunk software also supports other kinds of data sources. For example:
- Scripted inputs
Get data from APIs and other remote data interfaces and message queues.
- Modular inputs
Define a custom input capability to extend the Splunk Enterprise framework.
- The HTTP Event Collector endpoint
Use the HTTP Event Collector to get data directly from a source with the HTTP or HTTPS protocols.
Get started with getting data in
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2