Splunk® Enterprise

Search Tutorial

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Get the tutorial data into Splunk Enterprise

This topic walks you through downloading the tutorial data set and adding it into Splunk Enterprise. You can complete this tutorial in several hours, but if you want to spread it out over a few days, download a new sample data file and add it.


Download the sample data file

Download and do not uncompress the tutorial data file here:

http://docs.splunk.com/images/Tutorial/tutorialdata.zip

This tutorial data file is updated daily and shows events timestamped for the previous 7 days.

Add the sample data into Splunk Enterprise

1. Log into Splunk.

If you are not in Splunk Home, click the Splunk logo on the Splunk bar to go to Splunk Home.

2. Under Explore Splunk Enterprise, click Add data.

6.2tutorial explore adddata.png

The Add Data view displays three options for adding data: Upload, Monitor, and Forward.

This view also lists of common data types and add-ons that you can use to extend Splunk Enterprise capabilities to add data.

3. Under "How do you want to add data?", click Upload.

6.2tutorial adddata upload.png


4. Under Select Source, click Select File to browse for the tutorialdata.zip file.

6.2tutorial adddata selectsource.png

Alternatively, you can drag and drop the tutorial data file into the rectangular box.
Because the tutorial data file is an archived data file, the next step in the Add Data workflow changes from Set Sourcetype to Input Settings.

5. Click Next to continue to Input Settings.

Under Input Settings, you can override the default settings for Host, Source type, and Index.

6. Modify the Host settings to assign the host names using a portion of the path name. The settings that you select depend on the operating system on which you are installing the Splunk software.

Linux or Mac OS X
a. Select Segment in path.
b. Type 1 for the segment number.
Windows
a. Select Regular expression on path.
b. Type \\(.*)\/ for the regex to extract the host from the path.

6.2tutorial adddata inputsettings.png


7. Click Review to review your input settings.

6.2tutorial adddata review.png


8. Click Submit.

6.2tutorial adddata done.png


9. To confirm that the data was added successfully, click Start Searching.

The Search view opens and a search runs for the tutorial data source.

6.2tutorial startsearching.png

Next steps

Learn more about the Search app and start searching the tutorial data.

Last modified on 27 August, 2016
PREVIOUS
About getting data into Splunk Enterprise 		  NEXT
About the Search views

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters