Modify input settings
This topic discusses the "Input Settings" page Splunk Enterprise presents after you configure the data source in the "Set Sourcetypes" page.
After you select the source (or set your source type when uploading or monitoring a single file), Splunk Enterprise presents the following page:
The page lets you specify additional parameters for your data input, such as its source type, its application context, its host value, and the index where data from the input should be stored.
The input settings available are as follows:
The "Sourcetype" setting lets you specify what source type Splunk Enterprise should apply to your data. It appears when:
- You specify a data source that is not a single file.
- You specify a directory as a data source.
- You specify a network input as a data source.
- You specify a data source that has been forwarded from another Splunk Enterprise instance.
If your data source does not meet these criteria, then the "Sourcetype" setting does not appear.
To specify a source type, click one of the three buttons:
- Automatic: Tells Splunk Enterprise to apply the default source type to the data.
- Select: Tells Splunk Enterprise to apply the source type you specify to the data. When you click "Select," a drop-down appears that lists all available source types on the machine, arranged by category. First, choose the category that best represents the source type you want, then choose the source type from the list.
- Manual: Tells Splunk Enterprise to use the source type that you enter in the field that appears below.
Note: There is no facility to create a source type on this page. If you want to create a source type so that it appears in the "Select" list, either:
- Choose a single file to upload or monitor and create the source type using the "Set Sourcetypes" page, or
- Create the source type by editing the
props.conffile. Read the props.conf spec file for a list of valid attributes.
The Application Context setting tells Splunk Enterprise the context in which the input should collect data. Application contexts improve manageability of input and source type definitions. Splunk Enterprise loads all app contexts based on precedence rules. See "Configuration file precedence" in the Admin manual.
Select the application context you want this input to operate within by clicking the drop-down and selecting the application context you want from the list.
Splunk Enterprise tags each event that it indexes with a host value. You can configure what Splunk Enterprise tags events with by specifying how it should do so:
- Constant value: Tells Splunk Enterprise to use the value you specify in the "Host Field Value" field. Splunk Enterprise tags each event with this value for the "Host" field, and you can later search on this host field with the same value.
- Regular expression on path: Use this setting to configure Splunk Enterprise to extract the host value from the path of the file that contains the data. Enter the valid regular expression in the Regular expression field below. Splunk Enterprise then uses this regular expression to extract the host name from the path. See "About hosts."
- Segment in path: Use this setting to tell Splunk Enterprise to determine the host value from a segment within the source input path name. Enter the segment number in the Segment number field below.
For example, if the source input has a pathname
/var/server/<hostname>, and you wanted Splunk Enterprise to set the host field based on
hostname, you would select "Segment in path" and enter
3 as the segment number, since
<hostname> is the third segment in the path
The "Index" setting tells Splunk Enterprise which index that it should store the events for this input. To use the default index, leave the drop-down button set to "Default". To choose another index, click the drop-down button and select the index you want the data to go to by clicking the selection in the list. If the index you want to send the data to is not in the list, and you have the permissions, you can create a new index by clicking the Create a new index button.
Once you have made your selections, you can proceed to the final step of the "Add Data" process by clicking the green Next button.
Data preview and distributed Splunk Enterprise
Monitor files and directories
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15