Get the tutorial data into Splunk Enterprise
This topic walks you through downloading the tutorial data set and adding it into Splunk Enterprise. You can complete this tutorial in several hours, but if you want to spread it out over a few days, download a new sample data file and add it.
Download the sample data file
Download and do not uncompress the tutorial data file here:
This tutorial data file is updated daily and shows events timestamped for the previous 7 days.
Add the sample data into Splunk Enterprise
1. Log into Splunk.
- If you are not in Splunk Home, click the Splunk logo on the Splunk bar to go to Splunk Home.
2. Under Explore Splunk Enterprise, click Add data.
- The Add Data view displays three options for adding data: Upload, Monitor, and Forward.
This view also lists of common data types and add-ons that you can use to extend Splunk Enterprise capabilities to add data.
3. Under "How do you want to add data?", click Upload.
4. Under Select Source, click Select File to browse for the tutorialdata.zip file.
- Alternatively, you can drag and drop the tutorial data file into the rectangular box.
- Because the tutorial data file is an archived data file, the next step in the Add Data workflow changes from Set Sourcetype to Input Settings.
5. Click Next to continue to Input Settings.
- Under Input Settings, you can override the default settings for Host, Source type, and Index.
6. Modify the Host settings to assign the host names using a portion of the path name. The settings that you select depend on the operating system on which you are installing the Splunk software.
- Linux or Mac OS X
- a. Select Segment in path.
- b. Type
1for the segment number.
- a. Select Regular expression on path.
- b. Type
\\(.*)\/for the regex to extract the host from the path.
7. Click Review to review your input settings.
8. Click Submit.
9. To confirm that the data was added successfully, click Start Searching.
- The Search view opens and a search runs for the tutorial data source.
About getting data into Splunk Enterprise
About the Search views
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13