About getting data into Splunk Enterprise
Before you can use Splunk Enterprise, you need to add data to it. When the data source is defined, Splunk Enterprise begins to index the data stream and transform it into a series of individual events that you can view and search. If the results are not what you want, tweak the indexing process until you are satisfied.
This section of the tutorial is a brief overview of the types of data that you can add, the ways to get that data into Splunk Enterprise, and where the data is stored after you add it. For a discussion about adding data see Getting Data In.
What kinds of data?
Splunk Enterprise works with any data. In particular, it works with all IT streaming and historical data. This data is from event logs, web logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, and so on.
The data can be on the same machine as the Splunk indexer (local data), or it can be on another machine (remote data). For information on local versus remote data, see "Where is my data?" in Getting Data In.
In general, categorize input sources as follows:
- Files and directories: A lot of data you might be interested in comes directly from files and directories.
- Network events: Splunk can index remote data from any network port and SNMP events from remote devices.
- Windows sources: The Windows version of Splunk includes a wide range of Windows-specific inputs, including Windows Event Log, Windows Registry, WMI, Active Directory, and Performance monitoring.
- Other sources: Splunk supports other input sources, such as FIFO queues and scripted inputs for getting data from APIs and other remote data interfaces.
For information about data and Splunk Enterprise, see "What Splunk can index" in Getting Data In.
How to specify data inputs
You add new types of data to Splunk Enterprise by defining the input sources.
- Splunk Web. You can configure most inputs using the Splunk Web data input pages. These views provide a GUI-based approach to configuring inputs. Use this method to add the tutorial data into Splunk Enterprise.
- Apps. The Splunk platform has apps and add-ons that offer preconfigured inputs for different types of data sources. See "Use apps to get data in" in Getting Data In.
- The Splunk Enterprise CLI. You can use the CLI (command line interface) to configure most types of inputs. See "Use the CLI" in Getting Data In.
- The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the configurations are saved in an inputs.conf file. To handle some advanced data input requirements, you might need to edit that file directly. See "Edit_inputsconf" in Getting Data In.
For information about configuring inputs, see "Configure your inputs" in Getting Data In.
Where Splunk Enterprise stores data
A Splunk Enterprise data repository is called an index. During indexing (or event processing), Splunk Enterprise processes the incoming data stream to enable fast search and analysis, storing the results in the index as events.
Events are stored in the index as a group of files that fall into two categories:
- Rawdata, which is the raw data in a compressed form.
- Index files and some metadata files that point to the raw data.
Splunk Enterprise, by default, puts all user data into a single, preconfigured index. It also uses several other indexes for internal purposes. You can add new indexes and manage existing ones to meet your data requirements. See "About managing indexes" in Managing Indexers and Clusters of Indexers.
Now that you're more familiar with Splunk data inputs and indexes, see "Get the tutorial data into Splunk Enterprise."
Navigating Splunk Web
Get the tutorial data into Splunk Enterprise
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14