Splunk® Enterprise

Search Tutorial

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Get the tutorial data into Splunk

This topic walks you through downloading the tutorial data set and adding it into Splunk Enterprise. You can complete this tutorial in several hours, but if you want to spread it out over a few days, download a new sample data file and add it.

Download the sample data file

Download but do not uncompress the tutorial data file here:


This tutorial data file is updated daily and shows events timestamped for the previous 7 days.

Add the sample data into Splunk Enterprise

1. Log into Splunk.

If you're not in Splunk Home, click the Splunk logo on the Splunk bar.

2. In the Data panel, click Add data.

The Add data window opens, which provides a list of data types and sources that you can select from. The tutorial data is a compressed file source.

6.1 tutorial adddata.png

3. Under Or Choose a Data Source, click From files or directories.

The Data preview dialog box opens, which lets you preview the data before you add it to a Splunk index. For this tutorial, you do not do this. To read more about data preview, see "Overview of data preview" in the Getting Data In manual.

6.1 tutorial skip datapreview.png

4. Select Skip preview and click Continue.

This takes you to Add new Fields & directories view, where you tell Splunk how to access the data source.

5. Under Source, select Upload and index a file and browse for the tutorial data file, tutorialdata.zip.

6.1 tutorial uploadfile.png

The source of a file or directory is the full pathname to the file or directory.

6. Select More settings. Modify the Host settings to assign the host names using a portion of the path name. The settings that you select depend on the operating system on which you are installing the Splunk software.

Linux or Mac OS X
a. Select Segment in path.
b. Type 1 for the segment number.
a. Select Regular expression on path.
b. Type \\(.*)\/ for the regex to extract the host from the path.

6.1 tutorial hostoverride.png

7. Click Save.

A message appears saying the upload was successful.

6.1 tutorial adddata success.png

8. Click the Splunk logo on the Splunk bar to return to Home.

The Data panel in Home displays a summary of the data you added. If you do not have other data in your Splunk index, the data panel looks like this:

6.1 tutorial updated datasummary.png

Data summary

This compressed tutorial data includes events generated for a fictitious online game store, Buttercup Games. There are five hosts and eight sources. The events represent data from three source types:

  • Apache web server logs
  • Secure server logs
  • Global sales vendors

Next steps

Now that you added the tutorial data, learn about the Search app and start searching the tutorial data.

Last modified on 27 August, 2016
About getting data into Splunk Enterprise
About the Search dashboard

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters