Splunk Cloud Platform

Getting Data In

Monitor First In, First Out (FIFO) queues

You can configure a First In, First Out (FIFO) input by editing the inputs.conf configuration file on a Splunk Enterprise instance. If you use Splunk Cloud Platform, use a heavy forwarder to read, index, and forward FIFO queues. Splunk Web doesn't support the definition of FIFO inputs.

Data that you send over FIFO queues doesn't remain in computer memory and can be an unreliable method for data sources. To ensure data integrity, use the monitor input instead. For more information on the monitor input, see Monitor files and directories.

Add a FIFO input to inputs.conf

If you haven't worked with configuration files before, read About Configuration Files in the Splunk Enterprise Admin Manual before you begin.

To add a FIFO input, edit the inputs.conf file and add a FIFO input stanza. Add the stanza to the inputs.conf file in the $SPLUNK_HOME/etc/system/local/ directory, or in your own custom application directory in $SPLUNK_HOME/etc/apps/. You might need to create the file if it doesn't already exist.

This input stanza configures Splunk Enterprise to read from a FIFO queue at the specified path:

[fifo://<path>]
<setting1> = <val1>
<setting2> = <val2>
...

You can use the following settings with FIFO input stanzas:

Setting Description Default
host = <string> The host key or field to a static value for this stanza. The <string> is prepended with host::.

This setting sets the host key's initial value. This key is used during parsing and indexing to set the host field. It also uses the host field at search time.

The IP address or fully qualified domain name of the host where the data originated.
index = <string> The index where events from this input are stored. The <string> is prepended with index::. The main index or whatever you have set as your default index.
sourcetype = <string> The sourcetype key or field for events from this input. This setting explicitly declares the source type for this data, as opposed to letting it be determined automatically. Declaring the source type is important both for searchability and for applying the relevant formatting for this type of data during parsing and indexing.

This setting sets the sourcetype key's initial value. This value is used during parsing and indexing to set the source type field. It is also the source type field used at search time.

Splunk software picks a source type based on various aspects of the data. There is no hard-coded default.
source = <string> Sets the source key or field for events from this input. The <string> is prepended with source::.

Don't override the source field unless absolutely necessary. The input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider using source types, tagging, and search wildcards before overriding this value.

The input file path.
queue = [parsingQueue|indexQueue] Where the input processor deposits the events that it reads.

Set to parsingQueue to apply the props.conf file and other parsing rules to your data. Set to indexQueue to send your data directly into the index.

Defaults to parsingQueue.
Last modified on 27 October, 2021
Troubleshoot HTTP Event Collector   Monitor changes to your file system

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters