What Splunk Enterprise can index
The first step in using Splunk Enterprise is to feed it data. Once Splunk Enterprise gets some data, it indexes the data and makes it available for searching. With its universal indexing ability, Splunk Enterprise transforms your data into a series of events that consist of searchable fields. You can massage the data before and after Splunk indexes it, but this is usually not necessary. Once it has been indexed, you can start searching the data, or use it to create charts, reports, alerts, and other interesting outputs.
What kind of data?
Any kind. In particular, any and all IT streaming, machine, and historical data. For example: Windows event logs, web server logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, and so on.
Point Splunk Enterprise at a data source. Tell it a bit about the source. That source then becomes a data input. Splunk Enterprise begins to index the data stream, transforming it into a series of individual events. You can view and search those events right away. If the results aren't exactly what you want, you can tweak the indexing process until it is.
The data can be on the same machine as the Splunk Enterprise indexer (local data), or it can be on another machine (remote data). You can get remote data into Splunk Enterprise, either by using network feeds or by installing Splunk forwarders on the machines where the data originates. For more information on local vs. remote data, see "Where is my data?"
Splunk offers lots of free apps and add-ons, with pre-configured inputs for things like Windows- or Linux-specific data sources, Cisco security data, Blue Coat data, and so on. Look in Splunkbase for an app or add-on that fits your needs. Splunk also comes with dozens of recipes for data sources like web server logs, Java 2 Platform, Enterprise Edition (J2EE) logs, or Windows performance metrics. You can get to these from the Add data page in Splunk Web. If the recipes and apps don't cover your needs, then you can use the general input configuration capabilities of Splunk Enterprise to specify your particular data source.
How to specify data inputs
You add new types of data to Splunk Enterprise by specifying them. You can specify a data input with:
- Apps. Apps and add-ons offer preconfigured inputs for various types of data sources. See "Use apps".
- Splunk Web. Configure many types of inputs using the Splunk Web data input pages. These provide a GUI-based approach to configuring inputs. You can access the Add data landing page from either Splunk Home or the System menu. See "Use Splunk Web".
- The Splunk CLI. Use the CLI (command line interface) to configure most types of inputs. See "Use the CLI".
- The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the configurations get saved in a configuration file called inputs.conf. You can edit that file directly. To handle some advanced data input requirements, you might need to edit it. See "Edit inputs.conf".
In addition, if you use forwarders to send data from outlying machines to a central indexer, you can specify some inputs during forwarder installation. See "Use forwarders".
For more information on configuring inputs, see "Configure your inputs".
Types of data sources
Splunk provides tools to configure all sorts of data inputs, including many that are specific to particular application needs. Splunk also provides the tools to configure any arbitrary data input types. In general, you can categorize Splunk inputs as follows:
- Files and directories
- Network events
- Windows sources
- Other sources
Files and directories
A lot of the data comes directly from files and directories. You can use the Splunk Enterprise files and directories monitor input processor to get data from files and directories.
To monitor files and directories, see "Get data from files and directories."
Splunk Enterprise can index data from any network port. For example, Splunk can index remote data from
syslog-ng or any other application that transmits via TCP. It can also index UDP data, but you should TCP instead whenever possible for enhanced reliability.
Splunk Enterprise can also receive and index SNMP events, alerts fired off by remote devices.
To get data from network ports, see "Get data from TCP and UDP ports".
To get SNMP data, see "Send SNMP events to Splunk".
The Windows version of Splunk Enterprise includes a wide range of Windows-specific inputs. It also provides pages in Splunk System for defining the following Windows-specific input types:
- Windows Event Log data
- Windows Registry data
- WMI data
- Active Directory data
- Performance monitoring data
Note: To index and search Windows data on a non-Windows instance of Splunk Enterprise, you must first use a Windows instance to gather the data. See "Considerations for deciding how to monitor remote Windows data."
For a more detailed introduction to using Windows data in Splunk Enterprise, see "About Windows data and Splunk Enterprise".
Other data sources
Splunk Enterprise also supports other kinds of data sources. For example:
- Scripted inputs
Get data from APIs and other remote data interfaces and message queues.
- Modular inputs
Define a custom input capability to extend the Splunk Enterprise framework.
Get started with getting data in
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15