Splunk® Enterprise

Search Tutorial

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About getting data into Splunk Enterprise

Before you can use Splunk Enterprise, you need to add data to it. When the data source is defined, Splunk Enterprise begins to index the data stream and transform it into a series of individual events that you can view and search. If the results are not what you want, tweak the indexing process until you are satisfied.

This section of the tutorial is a brief overview of the types of data that you can add, the ways to get that data into Splunk Enterprise, and where the data is stored after you add it. For a discussion about adding data see Getting Data In.

What kinds of data?

Splunk Enterprise works with any data. In particular, it works with all IT streaming and historical data. This data is from event logs, web logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, and so on.

The data can be on the same machine as the Splunk indexer (local data), or it can be on another machine (remote data). For information on local versus remote data, see "Where is my data?" in Getting Data In.

In general, categorize input sources as follows:

  • Files and directories: A lot of data you might be interested in comes directly from files and directories.
  • Network events: Splunk can index remote data from any network port and SNMP events from remote devices.
  • Windows sources: The Windows version of Splunk includes a wide range of Windows-specific inputs, including Windows Event Log, Windows Registry, WMI, Active Directory, and Performance monitoring.
  • Other sources: Splunk supports other input sources, such as FIFO queues and scripted inputs for getting data from APIs and other remote data interfaces.

For information about data and Splunk Enterprise, see "What Splunk can index" in Getting Data In.

How to specify data inputs

You add new types of data to Splunk Enterprise by defining the input sources.

  • Splunk Web. You can configure most inputs using the Splunk Web data input pages. These views provide a GUI-based approach to configuring inputs. Use this method to add the tutorial data into Splunk Enterprise.
  • Apps. The Splunk platform has apps and add-ons that offer preconfigured inputs for different types of data sources. See "Use apps to get data in" in Getting Data In.
  • The Splunk Enterprise CLI. You can use the CLI (command line interface) to configure most types of inputs. See "Use the CLI" in Getting Data In.
  • The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the configurations are saved in an inputs.conf file. To handle some advanced data input requirements, you might need to edit that file directly. See "Edit_inputsconf" in Getting Data In.

For information about configuring inputs, see "Configure your inputs" in Getting Data In.

Where Splunk Enterprise stores data

A Splunk Enterprise data repository is called an index. During indexing (or event processing), Splunk Enterprise processes the incoming data stream to enable fast search and analysis, storing the results in the index as events.

Events are stored in the index as a group of files that fall into two categories:

  • Rawdata, which is the raw data in a compressed form.
  • Index files and some metadata files that point to the raw data.

These files reside in sets of directories, called buckets, organized by age. See "How the indexer stores indexes" in Managing Indexers and Clusters of Indexers.

Splunk Enterprise, by default, puts all user data into a single, preconfigured index. It also uses several other indexes for internal purposes. You can add new indexes and manage existing ones to meet your data requirements. See "About managing indexes" in Managing Indexers and Clusters of Indexers.

Next steps

Now that you're more familiar with Splunk data inputs and indexes, see "Get the tutorial data into Splunk Enterprise."

Last modified on 01 February, 2016
Navigating Splunk Web
Get the tutorial data into Splunk Enterprise

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters