Monitor First In, First Out (FIFO) queues
You can configure a First In, First Out (FIFO) input by editing the inputs.conf configuration file on a Splunk Enterprise instance. If you use Splunk Cloud Platform, use a heavy forwarder to read, index, and forward FIFO queues. Splunk Web doesn't support the definition of FIFO inputs.
Data that you send over FIFO queues doesn't remain in computer memory and can be an unreliable method for data sources. To ensure data integrity, use the monitor input instead. For more information on the monitor input, see Monitor files and directories.
Add a FIFO input to inputs.conf
If you haven't worked with configuration files before, read About Configuration Files in the Splunk Enterprise Admin Manual before you begin.
To add a FIFO input, edit the inputs.conf file and add a FIFO input stanza. Add the stanza to the inputs.conf file in the $SPLUNK_HOME/etc/system/local/ directory, or in your own custom application directory in $SPLUNK_HOME/etc/apps/. You might need to create the file if it doesn't already exist.
This input stanza configures Splunk Enterprise to read from a FIFO queue at the specified path:
[fifo://<path>] <setting1> = <val1> <setting2> = <val2> ...
You can use the following settings with FIFO input stanzas:
Setting | Description | Default |
---|---|---|
host = <string>
|
The host key or field to a static value for this stanza. The <string> is prepended with host:: . This setting sets the host key's initial value. This key is used during parsing and indexing to set the host field. It also uses the host field at search time. |
The IP address or fully qualified domain name of the host where the data originated. |
index = <string>
|
The index where events from this input are stored. The <string> is prepended with index:: .
|
The main index or whatever you have set as your default index.
|
sourcetype = <string>
|
The sourcetype key or field for events from this input. This setting explicitly declares the source type for this data, as opposed to letting it be determined automatically. Declaring the source type is important both for searchability and for applying the relevant formatting for this type of data during parsing and indexing. This setting sets the sourcetype key's initial value. This value is used during parsing and indexing to set the source type field. It is also the source type field used at search time.
|
Splunk software picks a source type based on various aspects of the data. There is no hard-coded default. |
source = <string>
|
Sets the source key or field for events from this input. The <string> is prepended with source:: .Don't override the source field unless absolutely necessary. The input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider using source types, tagging, and search wildcards before overriding this value. |
The input file path. |
queue = [parsingQueue|indexQueue]
|
Where the input processor deposits the events that it reads. Set to |
Defaults to parsingQueue .
|
Troubleshoot HTTP Event Collector | Monitor changes to your file system |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!