Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.2 will no longer be supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Modify input settings

Prerequisites

After you select the source or set your source type when uploading or monitoring a single file, the Modify input settings page appears in .

You can specify additional parameters for your data input, such as its source type, application context, host value, and the index where data from the input is to be stored.

Configure source type

You can specify the source type to be applied to your data with the Source type setting. This setting appears in these situations:

  • When you specify a directory as a data source.
  • When you specify a network input as a data source.
  • When you specify a data source that has been forwarded from another Splunk instance.

If your data source doesn't meet these criteria, then you won't see the Source type setting.

Specify a source type

To specify a source type, select one of these options:

Option Description
Select Click this button to apply the source type that you specify to the data.
New Click this button to add a new source type.

Choose an existing source type

  1. From the Select Source Type drop-down list, choose the category that best represents the data's source type.
  2. Choose the source type from the list that appears.

Add a new source type

  1. In the Source Type text field, enter the name of the new source type.
  2. Choose a category for the source type in the Source Type Category drop-down list.
  3. In the Source Type Description text field, enter the description for the source type.

Configure app context

The Application Context setting determines the context in which the input collects data. When you set the application context, you determine which Splunk app that the input configuration gets stored into. Splunk apps run on the Splunk platform and typically address use cases. Application contexts improve the manageability of input and source type definitions. Application contexts are loaded based on precedence rules. See Configuration file precedence in the Splunk Enterprise Admin Manual.

Select the application context you want this input to operate within by clicking the drop-down list and selecting the application context you want.

Configure host value

tags events with a host. You can configure how the software determines the host value. Configure a host value by choosing one of these available host values:

Host value Description
IP This value uses the IP address of the host from which the event originates.
DNS This value uses Domain Name Services (DNS). Events are tagged with the host name that Splunk software determines using DNS name resolution.
Custom This value uses the host value you assign in the "Host field value" text field that appears when you select this option.

Store an event in an index

The Index setting determines the index where the events for this input are to be stored.

  1. To use the default index, leave the drop-down list option set to Default. Otherwise, click the drop-down list and select the index you want the data to go to.
  2. (Optional) If the index you want to send the data to isn't in the list and you have permissions to create indexes, you can create a new index by clicking the Create a new index button.
  3. After you make your selections, click Next.
Last modified on 31 March, 2021
PREVIOUS
Modify event processing
  NEXT
Distribute source type configurations in Splunk Enterprise

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters