Configure your inputs
To add a new type of data to Splunk Enterprise, configure a data input. There are a number of ways to configure data inputs.
- Apps. Splunk has a large variety of apps that offer preconfigured inputs for various types of data. For information, see "Use apps to get data in."
- Splunk Web. You can configure most inputs using the Splunk Web data input pages. These provide a GUI-based approach to configuring inputs. You can access the Add Data landing page from Splunk Home. You can also use System to add new inputs or view and manage existing inputs. In addition, when you upload or monitor a file, Splunk Enterprise lets you preview the file and make adjustments to how Splunk Enterprise plans to index it before the data is written to the index.
- The Splunk Command-Line Interface (CLI). Use the CLI to configure most types of inputs.
- The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, Splunk Enterprise saves them in a configuration file, inputs.conf. You also can edit that file directly. To handle some advanced data input requirements, you might need to edit it.
This topic describes how to configure data inputs yourself, using Splunk Web, the CLI, or
Use Splunk Web
You can add data inputs from Splunk Home or Splunk System.
- From Splunk Home, select Add Data. This takes you to the Add Data page, with links to recipes for a variety of data input types. See "How do you want to add data?"
- From anywhere in Splunk Web, select System, and then select Data inputs from the Data section of the System pop-up. This takes you to a page where you can view and manage your existing inputs, as well as add new ones.
For information on using Splunk Web to configure your inputs, look in the topics covering specific inputs later in this manual. For example, to learn how to use Splunk Web to configure network inputs, see "Get data from TCP and UDP ports."
You can configure most inputs with Splunk Web. For a small number of input types, you must edit
inputs.conf directly. In addition, some advanced settings for other input types are available only through
When you add an input through Splunk Web, Splunk Enterprise adds that input to a copy of
inputs.conf that belongs to the app you are currently in. This has consequences that you need to consider. For example, if you navigated to Splunk System directly from the Search page and then added an input there, Splunk Enterprise adds the input to
$SPLUNK_HOME/etc/apps/search/local/inputs.conf. Make sure you are in the app when you add your inputs. For information on how configuration files work, see "About configuration files."
Use the CLI
You can use the Splunk CLI to configure most inputs. Navigate to the
$SPLUNK_HOME/bin/ directory and use the
./splunk command from the UNIX or Windows command prompt. For example, this command adds
/var/log/ as a data input:
./splunk add monitor /var/log/
If you get stuck, the Splunk CLI has built-in help. For the list of CLI commands, type:
./splunk help commands
Individual commands have their own help pages as well. To see them, type:
./splunk help <command>
For information on how to use the CLI to configure a specific input, see the topic in this manual for that input. For example, to learn how to use the CLI to configure network inputs, see: "Add a network input using the CLI."
For informaton on the CLI, see "About the CLI" and the topics that follow it in the Admin Manual.
To add an input by directly editing inputs.conf, add a stanza for the input. You can add the stanza to the
inputs.conf file in
$SPLUNK_HOME/etc/system/local/, or in your own custom application directory (in
$SPLUNK_HOME/etc/apps/<app name>/local). If you have not worked with the configuration files, see "About configuration files."
Configure the data input by adding attribute/value pairs to its stanza. You can set multiple attributes in an input stanza. If you do not specify a value for an attribute, Splunk Enterprise uses the default value that is preset in
Following is an example of adding a network input. This configuration directs Splunk Enterprise to listen on TCP port 9995 for raw data from any remote server. Splunk Enterprise uses the DNS name of the remote server to set the host of the data. It assigns the source type log4j and the source tcp:9995 to the data.
[tcp://:9995] connection_host = dns sourcetype = log4j source = tcp:9995
For information on how to configure a specific input, see the topic in this manual for that input. For example, to learn how to configure file inputs, see Edit inputs.conf.
The topic for each data input describes the main attributes available for that input. However, refer to the
inputs.conf spec file, located inputs.conf, for the list of available attributes. The spec file contains descriptions of the attributes. There is also a file that contains several examples.
About source types
As part of the input process, Splunk Enterprise assigns a source type to the data. The source type identifies the format of the data. Splunk Enterprise uses the source type during indexing to format events correctly. It usually knows what source type to assign. For instance, syslog data gets a source type of "syslog". If you are not happy with the source type Splunk Enterprise assigns to a particular input, you can substitute a different source type -- either one of the predefined source types or one that you create yourself. You set the source type at the time you configure the input, using any of the configuration methods described in this topic.
To learn how to set the source type on a per-event basis, see "Advanced source type overrides."
Use apps to get data in
How Splunk Enterprise handles your data
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15