Get the tutorial data into Splunk Enterprise
This topic walks you through downloading the tutorial data set and adding it into Splunk Enterprise. You can complete this tutorial in several hours, but if you want to spread it out over a few days, download a new sample data file and add it.
Download the sample data file
Download but do not uncompress the tutorial data file here:
This tutorial data file is updated daily and shows events timestamped for the previous 7 days.
Add the sample data into Splunk Enterprise
1. Log into Splunk.
If you're not in Splunk Home, click the Splunk logo on the Splunk bar.
2. In the Data panel, click Add data.
The Add data window opens, which provides a list of data types and sources that you can select from. The tutorial data is a compressed file source.
3. Under Or Choose a Data Source, click From files or directories.
The Data preview dialog box opens, which lets you preview the data before you add it to a Splunk index. For this tutorial, you do not do this. To read more about data preview, see "Overview of data preview" in the Getting Data In manual.
4. Select Skip preview and click Continue.
This takes you to Add new Fields & directories view, where you tell Splunk how to access the data source.
5. Under Source, select Upload and index a file and browse for the tutorial data file, tutorialdata.zip.
The source of a file or directory is the full pathname to the file or directory.
6. Select More settings.
The More settings option lets you override the default settings for Host, Source type, and Index. For this tutorial, you need to modify the host settings to assign host names to the events based on the file's location in the compressed file.
6.1. Select Segment in path from the menu.
6.2. Type in 1 for the segment number.
7. Click Save.
A message appears saying the upload was successful.
8. Click the Splunk logo on the Splunk bar to return to Home.
The Data panel in Home displays a summary of the data you added. If you do not have other data in your Splunk index, the data panel looks like this:
This compressed tutorial data includes events generated for a fictitious online game store, Buttercup Games. There are five hosts and eight sources. The events represent data from three source types:
- Apache web server logs
- Secure server logs
- Global sales vendors
Currently, the examples in this tutorial use the Apache web server logs. This may change in future iterations.
Some of the examples in this tutorial require data from external lookup tables. Now that you've added data to Splunk, the next topic walks you through adding the lookup tables to Splunk.
Navigating Splunk Web
Add lookup files into Splunk
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15