Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Other ways to get data in

You can get data into your Splunk platform instance in a number of ways. The best way depends on the location and volume of data, your infrastructure and security needs, and what you intend to do with that data.

Assess your needs

Answer the following questions to help you determine the best way to get data into your Splunk platform instance.

Question Considerations
What kind of data do I want to index? The type of data you want to index affects how you get data in. For example, if you want to get data in from a proprietary application, you might want to use the HTTP Event Collector (HEC). On the other hand, if you want to ingest Windows data, you might want to use an app to help you get the data in. See What data can I index?
Is there an app for that? Splunk and many third-party developers provide apps that facilitate and improve data ingestion. If there is an app for the type of data you want to get in, you can save yourself considerable time in configuring and tweaking inputs on universal forwarders. Use apps if they exist for the type of data you want to get in. See Use apps to get data in.
Where does the data reside? For a Splunk Cloud instance, data is always remote, which means that you have to use a universal forwarder or HEC to get the data indexed into Splunk Cloud. For a Splunk Enterprise instance, data can be local or remote. See Is my data local or remote?
Do I need to use forwarders to access remote data? If you have a Splunk Cloud instance, you might have to. See Use forwarders to get data in to Splunk Cloud.
What do I want to do with the indexed data? See What is Splunk knowledge? in the Knowledge Manager Manual.

Add your data

To add a new type of data to your Splunk platform instance, configure a data input. You can configure data inputs using the following methods:

  • Apps. You can use a variety of apps that offer preconfigured inputs, views, and knowledge objects for various use cases. For more information, see Use apps to get data in.
  • Splunk Web. You can configure some inputs using Splunk Web. You can access the Add Data page from the Splunk Web home page. In addition, when you upload a file, you can preview and make adjustments to how Splunk Cloud must index the file. See Assign the correct source types to your data.
  • Forwarders. If your data is remote, you can configure forwarders to send data from outlying machines to your Splunk Cloud instance. For non-Splunk Cloud installations, you can use these forwarders to send data to a central indexer. Depending on the operating system, you can specify some of the inputs at forwarder installation time. See Use forwarders to get data in to Splunk Enterprise.

There are additional ways to get data in for Splunk Enterprise. See Add your data to Splunk Enterprise.

Use apps to get data in

Splunk apps and add-ons extend the capability and simplify the process of getting data into your Splunk Cloud deployment.

Apps typically target specific data types and handle everything from configuring data inputs to generating useful views of the data. For example, the Splunk App for Windows Infrastructure provides data inputs, searches, reports, alerts, and dashboards for Windows host management. The Splunk App for Unix and Linux offers the same for Unix and Linux environments. Most Splunk apps work with Splunk Cloud directly, and others might require you install them on a universal or heavy forwarder to send the data to the Splunk Cloud instance.

You can download these apps on Splunkbase:

You can also download apps to handle specific types of application data. Here are a few examples:

Use Splunk Web

You can add data inputs from the Splunk Web home page or by selecting Settings > Data Inputs.

  • From the Splunk Web home page, click Add Data.
  • Select Settings > Add data.
  • Select Settings > Data inputs from the Data section of the Settings drop-down list.

You can choose different options to get data in on the Add Data page. Click an icon to go to a page to define the data you want to upload, monitor, or forward. See these topics for more information:

For more help on how to add data in Splunk Web, see How do you want to add data?

Add your data to Splunk Enterprise

With Splunk Enterprise, you can add data using Splunk Web or Splunk apps. In addition to these methods, you also can use the following methods.

  • The Splunk Command Line Interface (CLI). This method is available for getting data in to Splunk Enterprise. You can use the CLI to configure most types of inputs. You can also use it on a heavy forwarder to get data into Splunk Cloud.
  • The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the details are saved in a configuration file on Splunk Enterprise indexer and heavy forwarder instances. While this option is not available on Splunk Cloud, you can use a heavy forwarder to send data directly to your Splunk Cloud instance. You can edit configuration files directly on both indexers and heavy forwarders, and some advanced data input needs might require you to make edits.

The Splunk Enterprise Add Data page has an additional option for getting data in:

Use the CLI

On Splunk Enterprise and the universal forwarder, you can use the Splunk CLI to configure many inputs. From a shell or command prompt, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. For example, the following command adds /var/log/ as a data input:

splunk add monitor /var/log/

For more information on the CLI, including how to get command line help, see About the CLI in the Admin Manual.

Edit the inputs.conf configuration file

On Splunk Enterprise and the universal forwarder, you can edit the inputs.conf file to configure your inputs. You use a text editor to create or modify the file, where you can add a stanza for each input. You can add the stanza to the inputs.conf file in $SPLUNK_HOME/etc/system/local/ or in your custom application directory in $SPLUNK_HOME/etc/apps/<app name>/local/.

You can configure the data input by adding key/value pairs to its stanza. You can set multiple settings in an input stanza. If you do not specify a value for a setting, Splunk Enterprise uses the default setting value. Default values for all settings in the inputs.conf file are in the inputs.conf configuration specification file. See the inputs.conf specification file in the Admin Manual.

If you have not worked with configuration files before, see About configuration files before adding inputs.

Example inputs.conf configuration file stanza

The following example configuration directs Splunk Enterprise to listen on TCP port 9995 for raw data from any remote host. Splunk Enterprise uses the DNS name of the remote host to set the host of the data. It assigns the source type log4j and the source tcp:9995 to the data.

[tcp://:9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995

For information on how to configure a specific input, see the topic for that specific input in this manual. For example, to configure file inputs, see Monitor files and directories with inputs.conf.

The topic for each data input describes the main attributes available for that input. See the inputs.conf specification file in the Admin Manual for the complete list of available attributes, including descriptions of the attributes and several examples.

To get started with getting data into your Splunk deployment, point it at some data by configuring an input. There are several ways to do this. The most straightforward way is to use Splunk Web.

Alternatively, you can download and enable an app, such as the Splunk App for Microsoft Exchange or Splunk IT Service Intelligence. See Use apps to get data in for more information.

How app context determines where Splunk Enterprise writes configuration files

When you add an input through Splunk Web on Splunk Enterprise, the software adds that input to a copy of the inputs.conf configuraiton file. The application context, which is the Splunk app you are currently in when you configure the input, determines where Splunk Enterprise writes the inputs.conf file.

For example, if you navigate to the Settings page directly from the Search page and then add an input, Splunk Enterprise adds the input to $SPLUNK_HOME/etc/apps/search/local/inputs.conf because Splunk Enterprise is in the Search & Reporting app.

When you add inputs, confirm that you are in the app context that you want to be in. For background on how configuration files work, read About configuration files in the Splunk Enterprise Admin Manual.

See also

Last modified on 03 May, 2021
PREVIOUS
Use apps and add-ons to get data in
  NEXT
How Splunk Enterprise handles your data

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.4, 7.0.10, 7.0.11, 7.0.13, 6.3.1, 7.0.3, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 7.0.5, 7.0.6, 7.0.7


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters