Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Upload the tutorial data

This tutorial uses a set of data that is designed to show you the features in the product. Using the tutorial data ensures that your search results are consistent with the steps in the tutorial.

Prerequisite
You must have the tutorial data files on your computer.

Use the Add Data wizard

  1. If you are not on the Splunk Home page, click the Splunk logo on the Splunk bar to go to Splunk Home.
  2. Locate the Add Data icon.
  3. Splunk Enterprise
    a. In the Explore Splunk Enterprise panel, click Add Data.
    Splunk Cloud
    a. If the Welcome to the Splunk Free Cloud Trial! window is displayed, close the window.
    b. Click Settings > Add Data.
    6.4 tutorial cloud adddata.png
  4. Click Upload.
  5. This screen image shows the Add Data image on the screen. The Add Data image is in the Explore Splunk Enterprise panel and is the second image from the left in that panel.
  6. Under Select Source, click Select File to browse for the tutorialdata.zip file.
  7. This screen image shows the first step in adding data, Select Source.  Click the Select File button and browse to where you downloaded the tutorialdata.zip file.
  8. Select the file and click Open.
  9. Note: Because you specified a compressed file, a data source that the Splunk software recognizes, the wizards steps change. The step Set Source Type is skipped. When you load data that is not in a compressed file, you will set the data source type.
  10. Click Next to continue to Input Settings.
  11. Under Input Settings, you can override the default settings for Host, Source type, and Index.
  12. Modify the Host settings to assign the host names using a portion of the path name. The settings that you select depend on the operating system on which you are installing the Splunk software.
  13. Linux or Mac OS X
    a. Select Segment in path.
    b. Type 1 for the segment number.
    This screen image shows the next step in adding data, Input Settings The Segment in path option is highlighted.
    Windows
    a. Select Regular expression on path.
    b. Type \\(.*)\/ for the regex to extract the host from the path.
    This screen image shows the next step in adding data, Input Settings The Regular expression on path option is highlighted.
  14. Click Review and review your input settings.
  15. This screen image shows the next step in adding data, Review. The name of the file that you are uploading and the host settings are displayed.
  16. Click Submit to add the data.
  17. This screen image shows the last step in adding data. The screen shows the file was uploaded successfully. The screen shows the options for what you can do next.
  18. To see the data in the Search app, click Start Searching.
  19. You might see a screen asking if you want to take a tour. You can take the tour or click Skip.
    The Search app opens and a search is automatically run on the tutorial data source.
    This screen image shows that a simple search was run to find all of the tutorial data. The data now appears as events in the bottom half of the window.
    Success! The results confirm that the data in the tutorialdata.zip file was indexed and that events were created.
  20. Click the Splunk logo to return to Splunk Home.
  21. Next step

    You have completed Part 2 of the Search Tutorial.

    Now you know how to add data to your Splunk platform. Next, you will begin to learn how to search that data. Continue to Part 3: Using the Splunk Search App.

PREVIOUS
What is in the tutorial data?
  NEXT
Exploring the Search views

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Comments

The File is not getting uploaded. As i am using Splunk cloud, I added 1 in the segment field with all other fields unchanged. The upload failes without giving any error. The upload pop up momentarily and then goes away with the review screen still showing

Roysanket
June 25, 2018

Hi Splunk:
I have the same problem as Raymond, in windows 10

When I look at your screenshot in step 10 I see under "Event" this:
host = vendor_sales | source = tutorialdata.zip:./vendor_sales/vendor_sales.log | sourcetype = vendor_sales

But in my Splunk I see this:
host = 127.0.0.1 | source = tutorialdata.zip:.\vendor_sales/vendor_sales.log sourcetype = vendor_sales/vendor_sales

Simonat
January 6, 2017

I am now in SPLUNK page, how can i do if I want to go back to see the data again, or suppose i make a mistake and want to delete it, and do the same process again.

Joliveira
August 9, 2016

Istvan - Thank you for your comment. Your regex is a good workaround on Windows for uploading the tutorialdata.zip file to Splunk.

Lstewart splunk, Splunker
June 13, 2016

a possible workaround until issue gets fixed for Splunk Enterprise:

in step Input Settings chose Regular expression on path instead of Segment in path and put the following regex: \\(.*)\/

this will extract the host from path.
worked for me

Iballa
June 7, 2016

Cwwee2014
We are aware of this issue on Windows and are actively working on resolving this issue.
In the meantime, might I suggest that you setup a free 15 day trial of Splunk Cloud.
The majority of the steps are identical for Splunk Enterprise and Splunk Cloud.
Only a few differences, which are documented in the first few topics in the tutorial.
The searches that you will perform are identical.

Start here
http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchTutorial/Systemrequirements#Access_the_trial_version_of_the_Splunk_software

and follow the steps for Splunk Cloud.

By using Splunk Cloud, you will be able to explore the Splunk search features that are described in the Search Tutorial.

Lstewart splunk, Splunker
May 15, 2016

I am reading the tutorial on http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/GetthetutorialdataintoSplunk
When I import the tutorialdata.zip file, I expect that after the import I see different hosts in the "search and reporting view". However, I only see host = 127.0.0.1

I am using Splunk 6.4.0 on my windows 10 laptop.

Am I doing something wrong? I have tried this tutorial twice.

Cwwee2014
May 15, 2016

Unfortunately I still have the same problem as I mentioned on April 23th, 2016.

Maybe this provides some more information:
When I look at your screenshot in step 10 I see under "Event" this:
host = vendor_sales | source = tutorialdata.zip:./vendor_sales/vendor_sales.log | sourcetype = vendor_sales

But in my Splunk I see this:
host = 127.0.0.1 | source = tutorialdata.zip:.\vendor_sales/vendor_sales.log sourcetype = vendor_sales/vendor_sales
Note the difference in forward vs. backward slashes just after "tutorialdata.zip:." and the differences in "sourcetype"

Raymond

Rdjongh
May 13, 2016

I am still facing this issue - (SPL-109362). Unable to upload Tutorialdata.zip on Windows 7/other windows.
Any resolution plan ?

Alokplanit
May 8, 2016

Nicholas
Thank you for your comment and letting us know that Raymond is not alone in this issue. We are investigating this problem with loading data in Windows.

Lstewart splunk, Splunker
May 7, 2016

Hi Splunk,

I encountered the same problem as Raymond.

Nicholas
May 3, 2016

Niftynicholas
May 2, 2016

Raymond
Thank you for your comment. We are investigating this issue with loading data in Windows.

Lstewart splunk, Splunker
April 25, 2016

I am reading the tutorial on http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/GetthetutorialdataintoSplunk
When I import the tutorialdata.zip file, I expect that after the import I see different hosts in the "search and reporting view". However, I only see host = 127.0.0.1

I am using Splunk 6.4.0 on my windows 10 laptop.

Am I doning something wrong?


Thanks,

Raymond

Rdjongh
April 23, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters