This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3
You can add data inputs via inputs.conf. This will give you more granularity in your configuration than setting up inputs via SplunkWeb or the CLI.
Add your stanza to $SPLUNK_HOME/etc/bundles/local/inputs.conf. Specify an input type and any number of attribute/value pairs.
[<inputtype>://<path>] attribute1 = val1 attribute2 = val2 ...
Tailing:
[tail://<path>]
This directs Splunk to watch all files in the <path>, or just <path> if it represents a single file.
Please note:
CHECK_METHOD = modtime in props.conf for the source. This will check the modtime of the file and re-index when it changes. Note that the entire file will be indexed, which can result in duplicate events.
... for paths and * for files:
... will recurse through directories until the match is met. This means that /foo/.../bar will match foo/bar, foo/1/bar, foo/1/2/bar, etc.
* will match anything in that specific path segment. It cannot be used inside of a directory path, it must be used in the last segment of the path. For example /foo/*.log will match /foo/bar.log but not match /foo/bar.txt or /foo/bar/test.log.
[tail:///apache/.../logs]
This will load anything in /apache/foo/logs or /apache/bar/logs, etc.
[tail:///apache/*.log]
This will load anything in /apache/ that ends in .log.
Batch (aka Watch):
[batch://<path>]
Same as tailing, except Splunk uses the batch file loader. Files should be closed for writing.
TCP:
[tcp://<remote server>:<port>]
This configures Splunk to listen on the specified port. If a connection is made from <remote server>, this stanza is used to configure the input.
If <remote server> is blank, this stanza matches all connections on the specified port.
UDP:
[udp://<remote-server>:<port>]
Similar to TCP, except that Splunk listens on a UDP port.
FIFO:
[fifo://<path>]
This directs Splunk to read from the FIFO at the specified path.
host = <string>
This sets the host of events from this input to be the specified string. host:: is automatically prepended to the value when this shortcut is used.
index = <string>
This sets the index where events from this input will be stored.
source = <string>
This sets the source name of events from this input to be the specified string. source:: is automatically prepended to the value when this shortcut is used.
sourcetype = <string>
This sets the source type name of events from this input to be the specified string. sourcetype:: is automatically prepended to the value when this shortcut is used.
reportinghost = <string>
This sets the reporting host name of events from this input to be the specified string. reportinghost:: is automatically prepended to the value when this shortcut is used.
Different input types have specific attributes that can be set for that input type only.
Tailing:
host_regex = <regular expression>
If specified, Splunk will use the specified regular expression to extract the host from the filename of each input. Specifically the first group of the regex is used as the host. If the regex fails to match, the host = attribute is used as the host.
host_segment = <integer>
If specified, Splunk will use the specified '/' separated segment of the path as the host of each input. If the value is not an integer, or is less than 1, the host = attribute is used as the host.
followTail = 0|1
If set to 1, monitoring will begin at the end of the file (like tail -f in *nix). This will only apply to files the first time they are picked up. After that, Splunk's internal file position records keep track of the file.
Batch:
move_policy = {passive_symlink, passive_copy, sinkhole} (passive_symlink)
This specifies the policy to be used to handle the files. The sinkhole policy will delete the files as they are read, while the other two methods will link or copy the files into a separate directory.
host_regex
(see Tailing)
host_segment
(see Tailing)
The following attributes are not supported by batch:
source = <string>
<KEY> = <string>
TCP:
connection_host = {ip,dns,<string>} (ip)
The TCP input processor will rewrite the host with the ip address of the remote server if ip is set, the DNS name of the remote server if dns is set, and will do nothing to the host for any other string.
UDP:
_rcvbuf = <int>
The UDP port will have its receive buffer changed to the value specified. If the value is 0 or negative, it will be ignored. The default value for Splunk is 1MB (the default in the OS varies).