Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About getting data into Splunk Enterprise

Before you can use Splunk Enterprise, you need to add data to it. When the data source is defined, Splunk Enterprise begins to index the data stream and transform it into a series of individual events that you can view and search. If the results are not what you want, tweak the indexing process until you are satisfied.

This topic is a brief overview of the types of data that you can add to Splunk, the ways to get that data into Splunk, and where Splunk stores that data after you add it.

What kinds of data?

Splunk Enterprise works with any data. In particular, all IT streaming and historical data. This data is from event logs, web logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, and so on.

The data can be on the same machine as the Splunk indexer (local data), or it can be on another machine (remote data). For information on local versus remote data, see "Where is my data?" in the Getting Data In manual.

In general, categorize input sources as follows:

  • Files and directories: A lot of data you might be interested in comes directly from files and directories.
  • Network events: Splunk can index remote data from any network port and SNMP events from remote devices.
  • Window sources: The Windows version of Splunk includes a wide range of Windows-specific inputs, including Windows Event Log, Windows Registry, WMI, Active Directory, and Performance monitoring.
  • Other sources: Splunk also supports other input sources, such as FIFO queues and scripted inputs for getting data from APIs and other remote data interfaces.

For information about data and Splunk Enterprise, see "What Splunk can index" in the Getting Data In manual.

How to specify data inputs

You add new types of data to Splunk by defining the input sources. There are a number of ways to do this:

  • Splunk Web. You can configure most inputs using the Splunk Web data input pages. These views provide a GUI-based approach to configuring inputs. Use this method to add the tutorial data into Splunk.
  • Apps. Splunk has a large variety of apps and add-ons that offer preconfigured inputs for types of data sources. For more information, see "Use apps."
  • Splunk's CLI. You can use the CLI (command line interface) to configure most types of inputs. See "Use the CLI."
  • The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the configurations are saved in an inputs.conf file. To handle some advanced data input requirements, you might need to edit that file directly. See "Edit inputs.conf" in the Getting Data In manual.

For more information on configuring inputs, see "Configure your inputs" in the Getting Data In manual.

Where Splunk stores data

A Splunk data repository is called an index. During indexing (or event processing), Splunk processes the incoming data stream to enable fast search and analysis, storing the results in the index as events.

Events are stored in the index as a group of files that fall into two categories:

  • Rawdata, which is the raw data in a compressed form.
  • Index files and some metadata files that point to the raw data.

These files reside in sets of directories, called buckets, organized by age. For information, see "How Splunk stores indexes" in the Managing Indexers and Clusters manual.

Splunk, by default, puts all user data into a single, preconfigured index. It also uses several other indexes for internal purposes. You can add new indexes and manage existing ones to meet your data requirements. See "About managing indexes" in the Managing Indexers and Clusters manual.

Next steps

Now that you're more familiar with Splunk data inputs and indexes, see "Get the tutorial data into Splunk Enterprise."

PREVIOUS
Navigating Splunk Web
  NEXT
Get the tutorial data into Splunk

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters