Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Modify input settings

This topic discusses the "Input Settings" page Splunk Enterprise presents after you configure the data source in the "Set Sourcetypes" page.

After you select the source (or set your source type when uploading or monitoring a single file), Splunk Enterprise presents the following page:

62 datapreview inputsettings.png

The page lets you specify additional parameters for your data input, such as its source type, its application context, its host value, and the index where data from the input should be stored.

The input settings available are as follows:

Source type

The "Sourcetype" setting lets you specify what source type Splunk Enterprise should apply to your data. It appears when:

  • You specify a data source that is not a single file.
  • You specify a directory as a data source.
  • You specify a network input as a data source.
  • You specify a data source that has been forwarded from another Splunk Enterprise instance.

If your data source does not meet these criteria, then the "Sourcetype" setting does not appear.

To specify a source type, click one of the three buttons:

  • Automatic: Tells Splunk Enterprise to apply the default source type to the data.
  • Select: Tells Splunk Enterprise to apply the source type you specify to the data. When you click "Select," a drop-down appears that lists all available source types on the machine, arranged by category. First, choose the category that best represents the source type you want, then choose the source type from the list.
  • Manual: Tells Splunk Enterprise to use the source type that you enter in the field that appears below.

Note: There is no facility to create a source type on this page. If you want to create a source type so that it appears in the "Select" list, either:

App context

The Application Context setting tells Splunk Enterprise the context in which the input should collect data. Application contexts improve manageability of input and source type definitions. Splunk Enterprise loads all app contexts based on precedence rules. See "Configuration file precedence" in the Admin manual.

Select the application context you want this input to operate within by clicking the drop-down and selecting the application context you want from the list.

Host value

Splunk Enterprise tags each event that it indexes with a host value. You can configure what Splunk Enterprise tags events with by specifying how it should do so:

  • Constant value: Tells Splunk Enterprise to use the value you specify in the "Host Field Value" field. Splunk Enterprise tags each event with this value for the "Host" field, and you can later search on this host field with the same value.
  • Regular expression on path: Use this setting to configure Splunk Enterprise to extract the host value from the path of the file that contains the data. Enter the valid regular expression in the Regular expression field below. Splunk Enterprise then uses this regular expression to extract the host name from the path. See "About hosts."
  • Segment in path: Use this setting to tell Splunk Enterprise to determine the host value from a segment within the source input path name. Enter the segment number in the Segment number field below.

For example, if the source input has a pathname /var/server/<hostname>, and you wanted Splunk Enterprise to set the host field based on hostname, you would select "Segment in path" and enter 3 as the segment number, since <hostname> is the third segment in the path /var/server/hostname.

Index

The "Index" setting tells Splunk Enterprise which index that it should store the events for this input. To use the default index, leave the drop-down button set to "Default". To choose another index, click the drop-down button and select the index you want the data to go to by clicking the selection in the list. If the index you want to send the data to is not in the list, and you have the permissions, you can create a new index by clicking the Create a new index button.

Once you have made your selections, you can proceed to the final step of the "Add Data" process by clicking the green Next button.

PREVIOUS
Data preview and distributed Splunk Enterprise
  NEXT
Monitor files and directories

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters