Splunk® Enterprise

Splunk Tutorial

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Get the sample data into Splunk

This topic assumes that you have already downloaded, installed, and started a Splunk server. If you haven't yet, go back to the previous topic for instructions to do that.

Once you've started and logged into Splunk, you need to give it data that you can search. You can feed Splunk data from files and directories, network ports, and custom scripts, but for this tutorial, you will upload a compressed file directly to Splunk.

This topic walks you through downloading the sample dataset and adding it into Splunk.This tutorial is designed to be completed in a matter of hours, but if you want to spread it out over the course of a few days, just download a new sample data file and add it!

Download the sample data file

This tutorial uses sample data from an fictitious online store, the Flower & Gift shop, and includes events gathered from:

  • Apache web server logs
  • mySQL database logs

To proceed with this tutorial, download but do not uncompress the sample data file here:

Sampledata.zip

This sample data file is updated daily and shows events timestamped for the previous seven days.

Add the sample data into Splunk

Logging into Splunk should have taken you to Splunk Home. If it isn't the first view that you see, use the App list to select Home.

App menu home4.3.png


1. In Splunk Home, click Add data.

This takes you to the Add Data to Splunk dialogue where you can Choose a Data Type to add Or Choose a Data Source.

2. Under Or Choose a Data Source, click From files and directories.


Add data from files.4.3.png


This takes you to the Preview data dialogue, which enables you to see a preview of the data before you add it to a Splunk index. For the purposes of this tutorial, you won't need to do this. If you're interested in reading more about data preview, refer to "Overview of data preview" in the Getting Data In manual.

3. Select Skip preview and click Continue.


Skip preview4.3.png


This takes you to the Home > Add data > Files & directories > Add new view. This is where you will upload the sample data file. Normally, this is all you need to do and Splunk handles the rest without any changes needed. For the purposes of this tutorial, however, you will also edit some of the properties.

4. Under Source, select Upload and index a file and browse for the sample data file that you just downloaded.

The source of an event tells you where it came from. If you collect data from files and directories, the "source" is the full pathname of the file or directory. In the case of a network-based source, the source is the protocol and port, such as UDP:514.

UploadSampleData.png

5. Select More settings.

This enables you to override Splunk's default settings for Host, Source type, and Index.

An event's host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated. If you take a look at the Sampledata.zip file, it contains four directories (folders): three of the folders are named for Apache web servers and one is a MySQL server.

The source type of an event tells you what kind of data it is, usually based on how it's formatted. Examples of source types are access_combined or cisco_syslog. This classification lets you search for the same type of data across multiple sources and hosts. For more information about how Splunk source types your data, read "Why source types matter" in the Getting Data In manual.

The index setting tells Splunk where to put the data. By default, it's stored in main, but you might want to consider partitioning your data into different indexes if you have many types. For more information about creating custom indexes, read "Set up multiple indexes" in the Managing Indexers and Clusters manual.

For this tutorial, you're just going to change the Host setting.

6. Under Host and Set host, choose regex on path.

You want the host value to match the names of the folders contained in Sampledata.zip. By selecting regex on path, you're telling Splunk to use a regular expression (regex) to match the segment of the path within the compressed file and set that as the host value.

Custom host4.2.png

7. Under Regular expression, copy and paste:

For Linux\Unix:

Sampledata.zip:./([^/]+)/

For Windows:

Sampledata\.zip:\.\\([^\\]+)\\

This regex should match any characters in the segment path under (Linux/Unix) Sampledata.zip/ or (Windows) Sampledata.zip\ .

8. Click Save.

When it's finished, Splunk displays a message saying the upload was successful.


Add data success4.3.png

Next steps

Click Start searching and proceed to the next topic in this tutorial to look at your data in the Search app.

PREVIOUS
About getting data in
  NEXT
About this chapter

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Michael L. and Don S.,<br />It seems to be related to uploading compressed files on Windows. I'll followup with updates. Thank you!

Sophy, Splunker
August 21, 2013

I have the same issue as Don625 - I only see apache2 and apache3... no 1 or SQL. I have the folders in the ZIP file but they are not being processed. This is a Windows install.

Lehrfeld
August 21, 2013

I'm not getting all of the data in the Search from the sample.zip. I followed the instructions above "Get the sample data into Splunk" I only see 2 apache2 and apache3. Any ideas why? Thanks.

Don625
August 7, 2013

The Linux/Unix regex for the host should be<br /><br />Sampledata\.zip:\./([^/]+)/<br /><br />For Windows, the period is properly escaped, but it wasn't for Linux/Unix. The only reason why it still worked before is because period matches any character (including period itself) anyway.

Hobbes3
July 16, 2013

The Sampledata.zip only contains access_combined_wcookie data and nothing else. is there another place to get the complete ZIP file?

Jubartigig
June 5, 2013

very good tutorial :), easy to understand, keep the work, thanks

Ezragrazer
March 26, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters