Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

How to get going

To get started with Splunk Enterprise, just point it at some data by configuring an input from the Add data page. Or, even easier, you can download and enable a relevant app, such as one of the OS apps (Splunk App for Windows or Splunk App for Unix and Linux). Once you've installed Splunk Enterprise, configured the inputs, and/or enabled the app, it immediately starts indexing the specified data. In a short time, you can go to the Search app (reachable from Splunk Home, the starting page for Splunk Web) and begin to explore the data in detail.

It's easy, but still... it's a good idea to work first with a test index.

Add new inputs

Here's a recommended way to start out:

1. Understand your needs. Some of the questions you might ask yourself include:

  • What kind of data do I want Splunk Enterprise to index? Look here for a quick guide to the types of data Splunk indexes.
  • Is there an app for that? See "Use apps" to find out if there's a pre-configured app that will meet your needs.
  • Where does the data reside? Is it local or remote? See "Where is my data?".
  • Should I use forwarders to access remote data? See "Use forwarders".
  • What do I want to do with the indexed data? Get a sense of the possibilities; start by reading "What is Splunk knowledge?" in the Knowledge Manager manual.

2. Start out small, by creating a test index and adding just a few inputs. Look here for information on setting up a test index.

Important: Try to keep the amount of test data to a minimum; any data added to your test index counts against your maximum daily indexing volume for licensing purposes.

3. Use the Splunk Enterprise data preview feature to see and, if need be, modify how Splunk Enteprise indexes your data before committing the data to the test index. See "Overview of data preview" for details.

4. Run some searches on the test data:

  • Are you seeing the sort of data you were expecting?
  • Did the default configurations work well for your events?
  • Is there stuff missing or mangled?
  • Are the results optimal?

5. If necessary, massage your input and event processing configurations further until events look the way you want them to. To learn how to configure event processing, see "What Splunk Enterprise does with your data" in this manual.

6. Delete the data from your test index and start over, if necessary. Look here for information on how to do that.

7. When you're ready for prime time, point your inputs to the default "main" index, as described here.

When you've got other inputs to add, adopt the same approach.

Got custom data? It might need some extra TLC

Splunk Enterprise can index any time-series data, usually without the need for additional configuration. If you've got logs from a custom application or device, you should let Splunk Enterprise index it with the default configuration first. But if you're not getting the results you want, you can tweak a bunch of different things to make sure Splunk Enterprise indexes your events correctly.

We recommend you learn a bit about event processing and how Splunk Enterprise indexes data before proceeding so you can make informed decisions about what TLC your data needs. Here are some issues to consider:

Last modified on 22 October, 2014
Use apps
Configure your inputs

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters