
Edit inputs.conf
To add an input to Splunk Enterprise, add a stanza to inputs.conf in $SPLUNK_HOME/etc/system/local/
, or your own custom application directory in $SPLUNK_HOME/etc/apps/
. If you have not worked with Splunk's configuration files before, read "About configuration files" before you begin.
You can set multiple attributes in an input stanza. If you do not specify a value for an attribute, Splunk Enterprise uses the default, as defined in $SPLUNK_HOME/etc/system/default/inputs.conf
.
Note: To ensure that new events are indexed when you copy over an existing file with new contents, set the CHECK_METHOD = modtime
attribute in props.conf for the source. This checks the modification time of the file and re-indexes it when it changes. Be aware that the entire file will be re-indexed, which can result in duplicate events.
Configuration settings
There are separate stanza types for monitor and batch. See "Monitor files and directories" for detailed information about monitor and batch.
The following are attributes that you can use in both monitor
and batch
input stanzas. See the sections that follow for attributes that are specific to each type of input.
Attribute | Description | Default |
---|---|---|
host = <string>
|
|
the IP address or fully-qualified domain name of the host where the data originated.
|
index = <string>
|
|
main or whatever you set the default index to
|
sourcetype = <string>
|
|
Splunk Enterprise picks a source type based on various aspects of the data. There is no hard-coded default. |
queue = parsingQueue | indexQueue
|
|
parsingQueue |
_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,...
|
|
the groups present in 'defaultGroup' in [tcpout] stanza in outputs.conf
|
host_regex = <regular expression>
|
|
the default "host = " attribute, if the regex fails to match
|
host_segment = <integer>
|
|
the default "host = " attribute, if the value is not an integer, or is less than 1
|
Monitor syntax and examples
Monitor input stanzas direct Splunk Enterprise to watch all files in the <path>
(or just <path>
itself if it represents a single file). You must specify the input type and then the path, so put three slashes in your path if you're starting at the root directory.
You can use wildcards for the path. For more information, read "Specify input paths with wildcards" in this manual.
[monitor://<path>] <attrbute1> = <val1> <attrbute2> = <val2> ...
The following are additional attributes you can use when defining monitor input stanzas:
Attribute | Description | Default |
---|---|---|
source = <string>
|
|
the input file path |
crcSalt = <string>
|
|
N/A |
ignoreOlderThan =
|
|
0 (disabled) |
followTail = 0|1
|
|
0 |
whitelist = <regular expression>
|
|
N/A |
blacklist = <regular expression>
|
|
N/A |
alwaysOpenFile = 0 | 1
|
|
N/A |
recursive = true|false
|
|
true |
time_before_close = <integer>
|
|
3 |
followSymlink = true|false
|
|
true |
Example 1. To load anything in /apache/foo/logs
or /apache/bar/logs
, etc.
[monitor:///apache/.../logs]
Example 2. To load anything in /apache/
that ends in .log
.
[monitor:///apache/*.log]
Example 3. To monitor the Windows DNS server log.
[monitor://C:\Windows\System32\DNS\dns.log]
MonitorNoHandle syntax and examples
On Windows systems only, use the MonitorNoHandle stanza to monitor files without using Windows file handles. This allows you to read special log files like Windows's DNS server log files.
You must specify a valid path to a file when you use MonitorNoHandle. You cannot specify a directory. If you specify a file that already exists, Splunk Enterprise does not index the existing data in the file. It only indexes new data that the system writes to the file.
You can only configure monitorNoHandle
using inputs.conf or the CLI. you cannot configure it in Splunk Web.
[MonitorNoHandle://<path>] <attrbute1> = <val1> <attrbute2> = <val2> ...
Batch syntax and examples
Use batch to set up a one time, destructive input of data from a source. For continuous, non-destructive inputs, use monitor. Remember, after the batch input is indexed, Splunk deletes the file.
[batch://<path>] move_policy = sinkhole <attrbute1> = <val1> <attrbute2> = <val2> ...
Important: When defining batch inputs, you must include the attribute, move_policy = sinkhole
. This loads the file destructively. Do not use the batch input type for files you do not want to delete after indexing.
Example: This example batch loads all files from the directory system/flight815/
, but does not recurse through any subdirectories under it:
[batch://system/flight815/*] move_policy = sinkhole
PREVIOUS Monitor files and directories with the CLI |
NEXT Specify input paths with wildcards |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15
Comments
Horrible example for batch. /system/flight815/ hints that it is a root directory, yet the example does not use the /
the example directory should be system/flight815/
Hi Lnetto,
Actually, it is not a root directory. In that case, the stanza would be [batch:///system/flight815/*].