Get data from FIFO queues
This topic describes how to configure a FIFO input using
inputs.conf. Defining FIFO inputs is not currently supported in Splunk Web/Manager.
Caution: Data sent via FIFO is not persisted in memory and can be an unreliable method for data sources. To ensure your data is not lost, use monitor instead.
Add a FIFO input to inputs.conf
To add a FIFO input, add a stanza for it to inputs.conf in
$SPLUNK_HOME/etc/system/local/, or your own custom application directory in
$SPLUNK_HOME/etc/apps/. If you have not worked with Splunk's configuration files before, read about configuration files before you begin.
Here's the basic syntax for adding a FIFO stanza:
[fifo://<path>] <attrbute1> = <val1> <attrbute2> = <val2> ...
This input stanza directs Splunk to read from a FIFO at the specified path.
You can use the following attributes with FIFO stanzas:
host = <string>
- Sets the host key/field to a static value for this stanza.
- Sets the host key's initial value. The key is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.
<string>is prepended with 'host::'.
- If not set explicitly, this defaults to the IP address or fully qualified domain name of the host where the data originated.
index = <string>
- Set the index where events from this input will be stored.
<string>is prepended with 'index::'.
- Defaults to
main, or whatever you have set as your default index.
- For more information about the index field, see "How indexing works" in the Managing Indexers and Clusters manual.
sourcetype = <string>
- Sets the sourcetype key/field for events from this input.
- Explicitly declares the source type for this data, as opposed to allowing it to be determined automatically. This is important both for searchability and for applying the relevant formatting for this type of data during parsing and indexing.
- Sets the sourcetype key's initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.
<string>is prepended with 'sourcetype::'.
- If not set explicitly, Splunk picks a source type based on various aspects of the data. There is no hard-coded default.
- For more information about source types, see "Why source types matter" in this manual.
source = <string>
- Sets the source key/field for events from this input.
- Note: Overriding the source key is generally not recommended. Typically, the input layer will provide a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Please consider use of source types, tagging, and search wildcards before overriding this value.
<string>is prepended with 'source::'.
- Defaults to the input file path.
queue = [parsingQueue|indexQueue]
- Specifies where the input processor should deposit the events that it reads.
- Set to "parsingQueue" to apply
props.confand other parsing rules to your data.
- Set to "indexQueue" to send your data directly into the index.
- Defaults to
Real-time Windows performance monitoring
Monitor changes to your file system
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18