Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Prepare your data

This topic discusses how to prepare your data to be viewed in Splunk Enterprise data preview.

Note: Data preview works on single files only, and can only access files that are on the Splunk Enterprise server. Although it doesn't directly process network data or directories of files, you can easily get around those limitations.

Preview network data

You can direct some sample network data into a file, which you can then feed to data preview. There are a number of external tools that can do this; a typical one in the *nix world is netcat. For example, if you're listening to UDP data on port 514, you can use netcat to direct some of your network data into a file:

nc -lu 514 > sample_network_data

You will probably want to run that command inside a shell script that has logic to kill netcat once the file reaches a size of 2MB. By default, data preview reads only the first 2MB of data from a file.

After you've created the "sample_network_data" file, you can run it through data preview. Once you've finished previewing the data in the file and making any necessary changes to its event processing, you can apply any newly created source type directly to your network data.

Preview directories of files

If all the files in a directory are similar in content, then you can run data preview on just a single file and feel fairly confident that the results will be valid for all files in the directory. However, if you have directories with files of heterogeneous data, you should run data preview multiple times, on a set of files that represents the full range of data in the directory.

File size limit

Data preview reads the first 2MB of data from the file. In most cases, this should provide a sufficient sampling of your data. If you need to sample a larger quantity of data, you can change the max_preview_bytes attribute in limits.conf. Alternatively, you can edit the file to reduce large amounts of similar data, so that the remaining 2MB of data contains a representation of all the types of data in the original file.

PREVIOUS
Data preview and source types
  NEXT
View event data

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters