Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Get started with getting data in

To get started with getting data into Splunk Enterprise, point it at some data by configuring an input from the Add data page. See "How do you want to add data?"

Alternatively, you can download and enable an app, such as one of the OS apps (Splunk App for Windows Infrastructure or Splunk App for Unix and Linux).

Once you have installed Splunk Enterprise and either configured the inputs or enabled an app, Splunk Enterprise immediately starts storing and processing the specified data. In a short time, you can go to either the Search app (reachable from Splunk Home, the starting page for Splunk Web) or the main app page and begin exploring the data that you have collected in detail.

Add new inputs

Here is a recommended way to start out:

1. Understand your needs. Some of the questions you might ask yourself include:

2. Create a test index and add just a few inputs. See "Use a test index." Try to keep the amount of test data to a minimum, as any data added to your test index counts against your maximum daily indexing volume for licensing purposes.

3. Preview and, if needed, modify how Splunk Enteprise indexes your data before committing the data to the test index. Splunk Enterprise lets you preview incoming data from files that you monitor or upload. See "The "Set Sourcetype" page" for details.

4. Run some searches on the test data:

  • Do you see the sort of data you were expecting?
  • Did the default configurations work well for your events?
  • Is data missing or mangled?
  • Are the results optimal?

5. If necessary, tweak your input and event processing configurations further until events look the way you want them to. To learn how to configure event processing, see "What Splunk Enterprise does with your data" in this manual.

6. Delete the data from your test index and start over, if necessary. See "Delete indexed data and start over" for information on how to do that.

7. When you are ready to index the data for real, point your inputs to the default "main" index, as described here.

Repeat this approach when you have other inputs to add.

Got custom data?

Splunk Enterprise can index any time-series data, usually without the need for additional configuration. If you have logs from a custom application or device, you should let Splunk Enterprise attempt to process it with the default configuration first. If you don't get the results you want, you can tweak some things to make sure Splunk Enterprise indexes your events correctly.

See "Overview of event processing" and "How Splunk Enterprise indexes data" before proceeding so you can make informed decisions about how to make Splunk Enterprise work with your data. Here are some issues to consider:

PREVIOUS
What Splunk Enterprise can index
  NEXT
Is my data local or remote?

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters