Splunk® Enterprise

Getting Data In

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Use a test index to test your inputs

Before you add new inputs to a production index on your instance, it's a good idea to test the inputs first by adding them to a test index. After you verify that you're receiving the right data and that the resulting events are in a usable form, you can reconfigure the inputs to a production index. You can continue to test new inputs this way over time. If you find that the inputs you started with aren't the ones you want, you can keep working with the test index until you get results you like.

You can also preview how indexes your data into a test index. During preview, adjust the event processing settings interactively. See Assign the correct source type to your data for details.

Use a test index

  1. Create the test index using Splunk Web or, if you have Splunk Enterprise, using the CLI or by editing the indexes.conf configuration file.
  2. When you configure the data inputs, send events to the test index. You can do this in Splunk Web. For each input, perform these steps:
    1. When you configure the input from the Add data page, check the More settings option. It reveals several new fields, including one called Index.
    2. From the Index drop-down list, select your test index. All events for that data input now go to that index.
    3. Repeat this process for each data input that you want to send to your test index.
  3. When you search, specify the test index in your search command. By default, searches the main index. Use the index= command, like this:

index=test_index

When you search a test index for events coming in from your newly created input, change the time range for the fields side bar to '''Real-time > All time (real-time)'''. The resulting real-time search shows all events being written to that index regardless of the value of their extracted time stamp. This result is particularly useful if you're indexing historical data into your index that a search for '''Last hour''' or '''Real-time > 30 minute window''' wouldn't show.

To learn how to create and use custom indexes with Splunk Web, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual. You can also specify an index when you configure an input in the inputs.conf configuration file.

Delete indexed data and start over

If you want to clean out your test index and start over on Splunk Enterprise, use the CLI clean command, as described Remove indexes and indexed data in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Configure your inputs to use the default index

When you're satisfied with the test results and you're ready to start indexing for real, edit your data inputs so that they send data to the default main index instead of the test index. For each data input that you've already set up, follow the reversed steps that you took to set up the test index:

  1. Go back to the place where you initially configured the input. For example, if you configured the input from the Add data page in Splunk Web, return to the configuration screen for that input:
    1. Select System > System configurations > Data inputs.
    2. Select the input data type to see a list of all configured inputs of that type.
    3. Select the specific data input that you want to edit. Selecting the input takes you to a screen where you can edit it.
    4. Select the Display advanced settings option. Go to the field named Index.
    5. In the Index drop-down list, select the main index. All events for that data input now go to that index.

If you instead used the inputs.conf file to configure an input, you can change the index directly in that file, as described Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Now when you search, you no longer need to specify an index in the search command. By default, Splunk software searches the main index.

Last modified on 31 March, 2021
Set search-time event segmentation in Splunk Web   Use persistent queues to help prevent data loss

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters