Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Prepare your data

Data preview works on single files only. Although it doesn't directly process network data or directories of files, you can easily get around those limitations.

Note: Data preview can only access local files.

Preview network data

You can direct some sample network data into a file, which you can then feed to data preview. There are a number of external tools that can do this; a typical one in the *nix world is netcat. For example, if you're listening to UDP data on port 514, you can use netcat to direct some of your network data into a file:

nc -lu 514 > sample_network_data

You will probably want to run that command inside a shell script that has logic to kill netcat once the file reaches a size of 2MB; by default, data preview reads only the first 2MB of data from a file.

After you've created the "sample_network_data" file, you can run it through data preview. Once you've finished previewing the data in the file and making any necessary changes to its event processing, you can apply any newly created source type directly to your network data.

Preview directories of files

If all the files in a directory are similar in content, then you can run data preview on just a single file and feel fairly confident that the results will be valid for all files in the directory. However, if you have directories with files of heterogenuous data, you should run data preview multiple times on a set of files that represent the full range of data in your directory.

File size limit

Data preview reads the first 2MB of data from the file. In most cases, this should provide a sufficient sampling of your data. If you need to sample a larger quantity of data, you can change the max_preview_bytes attribute in limits.conf. If you have Splunk Cloud and need this limit adjusted, file a Support ticket. Alternatively, you can edit the file to reduce large amounts of similar data, so that the remaining 2MB of data contains a representation of all the types of data in the original file.

Last modified on 21 July, 2016
Data preview and source types
View event data

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters