Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

What Splunk can index

The first step in using Splunk is to feed it data. Once Splunk gets some data, it immediately indexes it, so that it's available for searching. With its universal indexing ability, Splunk transforms your data into a series of individual events, consisting of searchable fields. There's lots you can do to massage the data before and after Splunk indexes it, but you don't usually need to. In most cases, Splunk can determine what type of data you're feeding it and handle it appropriately.

Basically, you point Splunk at data and it does the rest. In moments, you can start searching the data, or use it to create charts, reports, alerts, and other interesting outputs.

What kind of data?

Any data. In particular, any and all IT streaming and historical data. Stuff like event logs, web logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, or anything else of interest. Any data. Really.

Point Splunk at a data source. Tell Splunk a bit about the source. That source then becomes a data input to Splunk. Splunk begins to index the data stream, transforming it into a series of individual events. You can view and search those events right away. If the results aren't exactly what you want, you can tweak the indexing process until you're satisfied.

The data can be on the same machine as the Splunk indexer (local data), or it can be on another machine altogether (remote data). You can easily get remote data into Splunk, either by using network feeds or by installing Splunk forwarders on the machines where the data originates. Forwarders are lightweight versions of Splunk that consume data and then forward it on to the main Splunk instance for indexing and searching. For more information on local vs. remote data, see "Where is my data?".

To make the job easier, Splunk offers lots of free apps and add-ons, with pre-configured inputs for things like Windows- or Linux-specific data sources, Cisco security data, Blue Coat data, and so on. Look in Splunkbase for an app or add-on that fits your needs. Splunk also comes with dozens of recipes for data sources like web logs, J2EE logs, or Windows performance metrics. You can get to these from the Add data section of Splunk Web, described later. If the recipes and apps don't cover your needs, then you can use Splunk's more general input configuration capabilities to specify your particular data source. These generic data sources are discussed here.

How to specify data inputs

You add new types of data to Splunk by telling it about them. There are a number of ways you can specify a data input:

  • Apps. Splunk has a large and growing variety of apps and add-ons that offer preconfigured inputs for various types of data sources. Take advantage of Splunk apps and free yourself from having to configure the inputs yourself. For more information, see "Use apps".
  • Splunk Web. You can configure most inputs using the Splunk Web data input pages. These provide a GUI-based approach to configuring inputs. You can access the Add data landing page from either Splunk Home or Manager. See "Use Splunk Web".
  • Splunk's CLI. You can use the CLI (command line interface) to configure most types of inputs. See "Use the CLI".
  • The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the configurations get saved in an inputs.conf file. You can edit that file directly, if you prefer. To handle some advanced data input requirements, you might need to edit it. See "Edit inputs.conf".

In addition, if you use forwarders to send data from outlying machines to a central indexer, you can specify some inputs during forwarder installation. See "Use forwarders".

For more information on configuring inputs, see "Configure your inputs".

Types of data sources

As described earlier, Splunk provides tools to configure all sorts of data inputs, including many that are specific to particular application needs. Splunk also provides the tools to configure any arbitrary data input types. In general, you can categorize Splunk inputs as follows:

  • Files and directories
  • Network events
  • Windows sources
  • Other sources

Files and directories

A lot of the data you might be interested in comes directly from files and directories. For the most part, you can use Splunk's files and directories monitor input processor to get data from files and directories.

To monitor files and directories, see "Get data from files and directories".

Network events

Splunk can index data from any network port. For example, Splunk can index remote data from syslog-ng or any other application that transmits via TCP. Splunk can also index UDP data, but we recommend using TCP instead whenever possible, for enhanced reliability.

Splunk can also receive and index SNMP events, alerts fired off by remote devices.

To get data from network ports, see "Get data from TCP and UDP ports".

To get SNMP data, see "Send SNMP events to Splunk".

Windows sources

The Windows version of Splunk includes a wide range of Windows-specific inputs. It also provides pages in Splunk Manager for defining the Windows-specific input types listed below:

Important: You can index and search Windows data on a non-Windows instance of Splunk, but you must first use a Windows instance to gather the data. You can do this with a Splunk forwarder running on Windows. You configure the forwarder to gather Windows inputs and then forward the data to the non-Windows instance. See "Considerations for deciding how to monitor remote Windows data" for details.

For a more detailed introduction to using Windows data in Splunk, see "About Windows data and Splunk".

Other sources

Splunk also supports other kinds of data sources. For example:

Other things to consider

The topics that follow this one discuss issues to consider when specifying Splunk data:

Where is my data? Is it local or remote?

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters