Splunk® Enterprise

Getting Data In

Download manual as PDF

Download topic as PDF

Configure your inputs

Assess your needs

Here is a high-level procedure for assessing your needs. Answering the following questions can help you determine the best way to get data into your Splunk instance.

  1. What kind of data do I want to index? The type of data you want to index affects how you get data in. For example, if you are working with a hand-built application, you might want to use HEC to get data in. See What data can I index?.
  2. Is there an app for that? If there is an app for the type of data you want to get in, you can save yourself considerable time in configuring and tweaking inputs. It is recommended to use an app if it exists for the type of data you want to get in. See Use apps to get data in.
  3. Where does the data reside? For an Enterprise instance, data may be local or remote. If you have a Cloud instance, data is always remote. If the data is remote, you'll need to use a forwarder or HEC to get data to your Splunk instance. See Where is my data?
  4. Should I use forwarders to access remote data? See Use forwarders to get data in.
  5. What do I want to do with the indexed data? See What is Splunk knowledge? in the Knowledge Manager Manual.

Adding Data

To add a new type of data to your Splunk deployment, configure a data input. There are a number of ways to configure data inputs:

  • Apps. Splunk has a variety of apps that offer preconfigured inputs for various data types. For more information, see Use apps to get data in.
  • Splunk Web. You can configure most inputs using the Splunk Web data input pages. You can access the Add Data landing page from Splunk Home. In addition, when you upload or monitor a file, you can preview and make adjustments to how the file is to be indexed..
  • The Splunk Command Line Interface (CLI). If you have Splunk Enterprise, you can use the CLI to configure most types of inputs.
  • The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the details are saved in a configuration file, inputs.conf. If you have Splunk Enterprise, you can edit that file directly. Some advanced data input needs might require you to edit it.

In addition, if you configure forwarders to send data from outlying machines to a central indexer, you can specify some inputs at installation time. See Use forwarders to get data in.

Use Splunk Web

You can add data inputs from Splunk Home or the Settings > Data Inputs menu

  • From Splunk Home, select Add Data
  • Select Settings > Add data
  • Select Settings > Data inputs from the Data section of the Settings pop-up menu.

The Add Data page has options to get data in. Click an icon to go to a page to define the data you want to upload, monitor, or forward.

For more help on how to use the "Add Data" page, see How do you want to add data?

How app context determines where Splunk writes configuration files

When you add an input through Splunk Web, Splunk adds that input to a copy of inputs.conf. The app context, that is, the Splunk app you are currently in when you configure the input, determines where Splunk Enterprise writes the inputs.conf file.

For example, if you navigated to the Settings page directly from the Search page and then added an input, Splunk Enterprise adds the input to $SPLUNK_HOME/etc/apps/search/local/inputs.conf.

When you add inputs, confirm that you are in the app context that you want to be in. For background on how configuration files work, read About configuration files in the Splunk Enterprise Admin manual.

Use the CLI

If you have Splunk Enterprise, you can use the Splunk CLI to configure many inputs. From a shell or command prompt, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. For example, the following command adds /var/log/ as a data input:

splunk add monitor /var/log/

For more information on the CLI, including how to get command line help, see About the CLI in the Admin manual.

Edit inputs.conf

You can edit inputs.conf to configure your inputs. You use a text editor to create or modify the file, where you can add a stanza for each input. You can add the stanza to the inputs.conf file in $SPLUNK_HOME/etc/system/local/, or in your custom application directory (in $SPLUNK_HOME/etc/apps/<app name>/local).

You can configure the data input by adding key/value pairs to its stanza. You can set multiple settings in an input stanza. If you do not specify a value for a setting, Splunk Enterprise uses the default setting value. Default values for all inputs.conf attributes are in $SPLUNK_HOME/etc/system/default/inputs.conf.

If you have not worked with configuration files, see About configuration files. before starting to add inputs.

Example inputs.conf stanza

The following example configuration directs Splunk Enterprise to listen on TCP port 9995 for raw data from any remote host. Splunk Enterprise uses the DNS name of the remote host to set the host of the data. It assigns the source type "log4j" and the source "tcp:9995" to the data.

connection_host = dns
sourcetype = log4j
source = tcp:9995

For information on how to configure a specific input, see the topic in this manual for that input. For example, to learn how to configure file inputs, see Monitor files and directories with inputs.conf.

The topic for each data input describes the main attributes available for that input. See the inputs.conf spec file for the complete list of available attributes, including descriptions of the attributes and several examples.

To get started with getting data into your Splunk deployment, point it at some data by configuring an input. There are several ways to do this. The easiest way is to use Splunk Web.

Alternatively, you can download and enable an app, such as the Splunk App for Microsoft Exchange or Splunk IT Service Intelligence.

Guided Data Onboarding

The Guided Data Onboarding (GDO) feature also provides end-to-end guidance for getting select data sources into specific Splunk platform deployments.

From your home page in Splunk Web, find the data onboarding guides by clicking Add Data. From there you can select a data source and configuration type. Then view diagrams, high-level steps, and documentation links that help you set up and configure your data source.

You can find all the Guided Data Onboarding manuals by clicking the Add data tab on the Splunk Enterprise Documentation site.

Index custom data

Splunk software can index any time-series data, usually without additional configuration. If you have logs from a custom application or device, process it with the default configuration first. If you do not get the results you want, you can tweak things to make sure the software indexes your events correctly.

See Overview of event processing and How indexing works so that you can make decisions about how to make Splunk software work with your data. Consider the following scenarios for collecting data.

More Information

After you configure the inputs or enable an app, your Splunk deployment stores and processes the specified data. You can go to either the Search app or the main app page and begin exploring the data that you collected.

Use apps to get data in
How Splunk Enterprise handles your data

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters