What Splunk Enterprise can index
The first step in using Splunk Enterprise is to feed it data. Once Splunk Enterprise gets some data, it immediately indexes it and makes it available for searching. With its universal indexing ability, Splunk Enterprise transforms your data into a series of events that consist of searchable fields. You can massage the data before and after Splunk indexes it, but this is usually not necessary.
Basically, you point Splunk Enterprise at data and in moments, you can start searching the data, or use it to create charts, reports, alerts, and other interesting outputs.
What kind of data?
Any data. In particular, any and all IT streaming, machine, and historical data. Stuff like Windows event logs, web server logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, or anything else of interest. Any data. Really.
Point Splunk Enterprise at a data source. Tell it a bit about the source. That source then becomes a data input. Splunk Enterprise begins to index the data stream, transforming it into a series of individual events. You can view and search those events right away. If the results aren't exactly what you want, you can tweak the indexing process until it is.
The data can be on the same machine as the Splunk Enterprise indexer (local data), or it can be on another machine altogether (remote data). You can easily get remote data into Splunk Enterprise, either by using network feeds or by installing Splunk forwarders on the machines where the data originates. Forwarders are lightweight versions of Splunk that consume data and then forward it on to the main Splunk Enterprise instance for indexing and searching. For more information on local vs. remote data, see "Where is my data?".
To make the job easier, Splunk offers lots of free apps and add-ons, with pre-configured inputs for things like Windows- or Linux-specific data sources, Cisco security data, Blue Coat data, and so on. Look in Splunk Apps for an app or add-on that fits your needs. Splunk also comes with dozens of recipes for data sources like web server logs, Java 2 Platform, Enterprise Edition (J2EE) logs, or Windows performance metrics. You can get to these from the Add data section of Splunk Web, described later. If the recipes and apps don't cover your needs, then you can use the general input configuration capabilities of Splunk Enterprise to specify your particular data source. These generic data sources are discussed here.
How to specify data inputs
You add new types of data to Splunk Enterprise by specifying them. There are a number of ways you can specify a data input:
- Apps. Splunk has a large and growing variety of apps and add-ons that offer preconfigured inputs for various types of data sources. Take advantage of Splunk apps and free yourself from having to configure the inputs yourself. For more information, see "Use apps".
- Splunk Web. You can configure most inputs using the Splunk Web data input pages. These provide a GUI-based approach to configuring inputs. You can access the Add data landing page from either Splunk Home or the System menu. See "Use Splunk Web".
- The Splunk CLI. You can use the CLI (command line interface) to configure most types of inputs. See "Use the CLI".
- The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the configurations get saved in a configuration file called inputs.conf. You can edit that file directly, if you prefer. To handle some advanced data input requirements, you might need to edit it. See "Edit inputs.conf".
In addition, if you use forwarders to send data from outlying machines to a central indexer, you can specify some inputs during forwarder installation. See "Use forwarders".
For more information on configuring inputs, see "Configure your inputs".
Types of data sources
As described earlier, Splunk provides tools to configure all sorts of data inputs, including many that are specific to particular application needs. Splunk also provides the tools to configure any arbitrary data input types. In general, you can categorize Splunk inputs as follows:
- Files and directories
- Network events
- Windows sources
- Other sources
Files and directories
A lot of the data you might be interested in comes directly from files and directories. For the most part, you can use the Splunk Enterprise files and directories monitor input processor to get data from files and directories.
To monitor files and directories, see "Get data from files and directories".
Splunk Enterprise can index data from any network port. For example, Splunk can index remote data from
syslog-ng or any other application that transmits via TCP. It can also index UDP data, but we recommend using TCP instead whenever possible, for enhanced reliability.
Splunk Enterprise can also receive and index SNMP events, alerts fired off by remote devices.
To get data from network ports, see "Get data from TCP and UDP ports".
To get SNMP data, see "Send SNMP events to Splunk".
The Windows version of Splunk Enterprise includes a wide range of Windows-specific inputs. It also provides pages in Splunk System for defining the Windows-specific input types listed below:
- Windows Event Log data
- Windows Registry data
- WMI data
- Active Directory data
- Performance monitoring data
Important: To index and search Windows data on a non-Windows instance of Splunk Enterprise, you must first use a Windows instance to gather the data. See "Considerations for deciding how to monitor remote Windows data" for details.
For a more detailed introduction to using Windows data in Splunk Enterprise, see "About Windows data and Splunk Enterprise".
Splunk Enterprise also supports other kinds of data sources. For example:
- Scripted inputs
Get data from APIs and other remote data interfaces and message queues.
- Modular inputs
Define a custom input capability to extend the Splunk Enterprise framework.
What to read next
The topics that follow this one discuss issues to consider when specifying Splunk data:
- "Where is my data?". A concise explanation of remote vs. local data, and why it matters.
- "Use forwarders". How to use forwarders to simplify the remote collection of data.
- "Use apps". How to use Splunk apps to get your data into Splunk Enterprise quickly.
- "How to get going". An overview of the process of getting and configuring data sources, with tips on best practices.
- "Configure your inputs". The ways you can configure data inputs in Splunk Enterprise.
- "About Windows data and Splunk Enterprise". An introduction to getting Windows data into Splunk Enterprise.
- "What Splunk Enterprise does with your data (and how to make it do it better)". What happens to your data once it enters Splunk Enterprise, and how you can configure Splunk to make the data even more useful.
Is my data local or remote?
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14