Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

What Splunk Enterprise can index

The first step in using Splunk Enterprise is to feed it data. Once Splunk Enterprise gets some data, it immediately indexes it and makes it available for searching. With its universal indexing ability, Splunk Enterprise transforms your data into a series of events that consist of searchable fields. You can massage the data before and after Splunk indexes it, but this is usually not necessary.

Basically, you point Splunk Enterprise at data and in moments, you can start searching the data, or use it to create charts, reports, alerts, and other interesting outputs.

What kind of data?

Any data. In particular, any and all IT streaming, machine, and historical data. Stuff like Windows event logs, web server logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, or anything else of interest. Any data. Really.

Point Splunk Enterprise at a data source. Tell it a bit about the source. That source then becomes a data input. Splunk Enterprise begins to index the data stream, transforming it into a series of individual events. You can view and search those events right away. If the results aren't exactly what you want, you can tweak the indexing process until it is.

The data can be on the same machine as the Splunk Enterprise indexer (local data), or it can be on another machine altogether (remote data). You can easily get remote data into Splunk Enterprise, either by using network feeds or by installing Splunk forwarders on the machines where the data originates. Forwarders are lightweight versions of Splunk that consume data and then forward it on to the main Splunk Enterprise instance for indexing and searching. For more information on local vs. remote data, see "Where is my data?".

To make the job easier, Splunk offers lots of free apps and add-ons, with pre-configured inputs for things like Windows- or Linux-specific data sources, Cisco security data, Blue Coat data, and so on. Look in Splunk Apps for an app or add-on that fits your needs. Splunk also comes with dozens of recipes for data sources like web server logs, Java 2 Platform, Enterprise Edition (J2EE) logs, or Windows performance metrics. You can get to these from the Add data section of Splunk Web, described later. If the recipes and apps don't cover your needs, then you can use the general input configuration capabilities of Splunk Enterprise to specify your particular data source. These generic data sources are discussed here.

How to specify data inputs

You add new types of data to Splunk Enterprise by specifying them. There are a number of ways you can specify a data input:

  • Apps. Splunk has a large and growing variety of apps and add-ons that offer preconfigured inputs for various types of data sources. Take advantage of Splunk apps and free yourself from having to configure the inputs yourself. For more information, see "Use apps".
  • Splunk Web. You can configure most inputs using the Splunk Web data input pages. These provide a GUI-based approach to configuring inputs. You can access the Add data landing page from either Splunk Home or the System menu. See "Use Splunk Web".
  • The Splunk CLI. You can use the CLI (command line interface) to configure most types of inputs. See "Use the CLI".
  • The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the configurations get saved in a configuration file called inputs.conf. You can edit that file directly, if you prefer. To handle some advanced data input requirements, you might need to edit it. See "Edit inputs.conf".

In addition, if you use forwarders to send data from outlying machines to a central indexer, you can specify some inputs during forwarder installation. See "Use forwarders".

For more information on configuring inputs, see "Configure your inputs".

Types of data sources

As described earlier, Splunk provides tools to configure all sorts of data inputs, including many that are specific to particular application needs. Splunk also provides the tools to configure any arbitrary data input types. In general, you can categorize Splunk inputs as follows:

  • Files and directories
  • Network events
  • Windows sources
  • Other sources

Files and directories

A lot of the data you might be interested in comes directly from files and directories. For the most part, you can use the Splunk Enterprise files and directories monitor input processor to get data from files and directories.

To monitor files and directories, see "Get data from files and directories".

Network events

Splunk Enterprise can index data from any network port. For example, Splunk can index remote data from syslog-ng or any other application that transmits via TCP. It can also index UDP data, but we recommend using TCP instead whenever possible, for enhanced reliability.

Splunk Enterprise can also receive and index SNMP events, alerts fired off by remote devices.

To get data from network ports, see "Get data from TCP and UDP ports".

To get SNMP data, see "Send SNMP events to Splunk".

Windows sources

The Windows version of Splunk Enterprise includes a wide range of Windows-specific inputs. It also provides pages in Splunk System for defining the Windows-specific input types listed below:

Important: To index and search Windows data on a non-Windows instance of Splunk Enterprise, you must first use a Windows instance to gather the data. See "Considerations for deciding how to monitor remote Windows data" for details.

For a more detailed introduction to using Windows data in Splunk Enterprise, see "About Windows data and Splunk Enterprise".

Other sources

Splunk Enterprise also supports other kinds of data sources. For example:

  • Scripted inputs
    Get data from APIs and other remote data interfaces and message queues.
  • Modular inputs
    Define a custom input capability to extend the Splunk Enterprise framework.

What to read next

The topics that follow this one discuss issues to consider when specifying Splunk data:

Is my data local or remote?

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters