About data and indexes
When you use Splunk, you are working with data in a Splunk index. In general, this manual assumes that a Splunk admin has already added data to your Splunk index. If this is the case, you can skip right to the "Search and investigate" chapter in this manual.
Read on to:
What types of data does Splunk index
Splunk can index any IT data from any source in real time. Point your servers or network devices' syslog at Splunk, set up WMI polling, monitor any live logfiles, enable change monitoring on your filesystem or the Windows registry, schedule a script to grab system metrics, and more. No matter how you get the data, or what format it's in, Splunk will index it the same way — without any specific parsers or adapters to write or maintain. It stores both the raw data and the rich index in an efficient, compressed, filesystem-based datastore — with optional data signing and auditing if you need to prove data integrity.
Ways to get data into Splunk
When adding data to Splunk, you have a variety of flexible input methods to choose from: Splunk Web, Splunk's CLI, and the inputs.conf configuration file.
You can add most data sources using Splunk Web. If you have access to the configuration files, you can use inputs.conf, which has more extensive configuration options. Any changes you make using Splunk Web or the Splunk CLI are written to inputs.conf.
The "Add data to your indexes" topic briefly outlines the general procedure for using Splunk Web to add new data. For more specific information about configuring inputs, see the "What Splunk can index" chapter in the Getting Data In manual.
Where does Splunk store the data
You'll notice that we use the term "index" to refer to a couple of different things. First and foremost, when Splunk indexes new data, it processes the raw data to make it searchable. Second, when we talk about Splunk indexes, we mean the data store where Splunk stores all or parts of the data. So, when you index new data, Splunk stores the data in indexes. Additionally, when you search, you're matching against data in one or multiple indexes.
Apps and inputs
When you add an input to Splunk, that input gets added relative to the app you're in. Some apps write input data to their specific index (for example, the Splunk App for Unix and Linux uses the 'os' index). If you're not finding data that you're certain is in Splunk, be sure that you're searching the right index.
For the Splunk user, this is all you need to know before you begin searching and learning more about your data. If you want to read more about managing the data in your indexes, see the "Manage indexes" chapter in the Admin manual.
Build and share a dashboard
Add data to your indexes
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7