Get started with getting data in
To get started with getting data into your Splunk deployment, point it at some data by configuring an input. There are several ways to do this. The easiest way is to use Splunk Web.
After you configure the inputs or enable an app, your Splunk deployment stores and processes the specified data. You can go to either the Search app or the main app page and begin exploring the data that you collected.
- To learn how to configure an input, see Modify input settings.
- To learn how to add data to your Splunk deployment, see Upload data.
- To learn how to experiment with adding a test index, see Use a test index.
- To learn about how to add source types, see The Set Sourcetype page.
- To learn what event processing is and how to configure it, see How Splunk software handles your data.
- To learn how to delete data from your Splunk deployment, see Delete indexed data and start over.
- To learn about how to configure your inputs with a default index, see Point your inputs at the default index.
Add new inputs
Here is a high-level procedure for adding data.
- Understand your needs. Ask the following questions.
- What kind of data do I want to index? How you get data in depends largely on the type of data you want to ingest.
- Is there an app for that? See Use apps to get data in.
- Should I use forwarders to access remote data? See Forward data.
- What do I want to do with the indexed data? See What is Splunk knowledge? in the Splunk Enterprise Knowledge Manager Manual.
- Create a test index and add a few inputs. Any data you add to your test index counts against your maximum daily indexing volume for licensing purposes.
- Preview and modify how your data will be indexed before committing the data to the test index.
- Review the test data that you have added with the Search app:
- Do you see the sort of data you were expecting?
- Did the default configurations work well for your events?
- Is data missing or mangled?
- Are the results optimal?
- If necessary, tweak your input and event processing configurations further until events look the way you want them to.
- Delete the data from your test index and start over, if necessary.
- When you are ready to index the data permanently, configure then inputs to use the default main index.
You can repeat this task to add other inputs as you familiarize yourself with the getting data in process.
Index custom data
Splunk software can index any time-series data, usually without additional configuration. If you have logs from a custom application or device, process it with the default configuration first. If you do not get the results you want, you can tweak things to make sure the software indexes your events correctly.
See Overview of event processing and How indexing works in the Splunk Enterprise Managing Indexers and Clusters of Indexers guide so that you can make decisions about how to make Splunk software work with your data. Consider the following scenarios for collecting data.
- Are the events in your data more than one line? See Configure event line breaking.
- Is your data in an unusual character set? See Configure character set encoding.
- Is the Splunk software unable to determine the timestamps correctly? See How timestamp assignment works.
Use apps to get data in
Apps typically target specific data types and handle everything from configuring the inputs to generating useful views of the data. For example, the Splunk App for Windows Infrastructure provides data inputs, searches, reports, alerts, and dashboards for Windows host management. The Splunk App for Unix and Linux offers the same for Unix and Linux environments. There is a wide range of apps to handle specific types of application data, including the following:
How the forwarder handles your data
This documentation applies to the following versions of Splunk Cloud™: 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7, 8.0.0