Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Get data from FIFO queues

This topic describes how to configure a FIFO input using inputs.conf. Defining FIFO inputs is not currently supported in Splunk Web/Manager.

Caution: Data sent via FIFO is not persisted in memory and can be an unreliable method for data sources. To ensure your data is not lost, use monitor instead.

Add a FIFO input to inputs.conf

To add a FIFO input, add a stanza for it to inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. If you have not worked with Splunk's configuration files before, read about configuration files before you begin.

Here's the basic syntax for adding a FIFO stanza:

<attrbute1> = <val1>
<attrbute2> = <val2>

This input stanza directs Splunk to read from a FIFO at the specified path.

You can use the following attributes with FIFO stanzas:

host = <string>

  • Sets the host key/field to a static value for this stanza.
  • Sets the host key's initial value. The key is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.
  • The <string> is prepended with 'host::'.
  • If not set explicitly, this defaults to the IP address or fully qualified domain name of the host where the data originated.

index = <string>

  • Set the index where events from this input will be stored.
  • The <string> is prepended with 'index::'.
  • Defaults to main, or whatever you have set as your default index.
  • For more information about the index field, see "How indexing works" in the Admin manual.

sourcetype = <string>

  • Sets the sourcetype key/field for events from this input.
  • Explicitly declares the source type for this data, as opposed to allowing it to be determined automatically. This is important both for searchability and for applying the relevant formatting for this type of data during parsing and indexing.
  • Sets the sourcetype key's initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.
  • The <string> is prepended with 'sourcetype::'.
  • If not set explicitly, Splunk picks a source type based on various aspects of the data. There is no hard-coded default.
  • For more information about source types, see "Why source types matter" in this manual.

source = <string>

  • Sets the source key/field for events from this input.
  • Note: Overriding the source key is generally not recommended. Typically, the input layer will provide a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Please consider use of source types, tagging, and search wildcards before overriding this value.
  • The <string> is prepended with 'source::'.
  • Defaults to the input file path.

queue = [parsingQueue|indexQueue]

  • Specifies where the input processor should deposit the events that it reads.
  • Set to "parsingQueue" to apply props.conf and other parsing rules to your data.
  • Set to "indexQueue" to send your data directly into the index.
  • Defaults to parsingQueue.
Real-time Windows performance monitoring
Monitor changes to your filesystem

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters