Topics

| pdf version

Getting Started

How Splunk Works

Configuring a Splunk Deployment

Data Inputs

Hosts

Source Types

Timestamp Recognition

Events

Event Types

Meta Events

Fields

Segmentation

Saved Searches and Alerts

Authentication

Granular Access Control

Data Distribution

Distributed Search

Deployment Server

Index Management

Bundles

SplunkBase

Performance Tuning

Routine Maintenance

How-To

Troubleshooting

Reference


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Find and index data

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4

Find and index data

Add Data

Adding data inputs to Splunk is easy and there are many methods for getting your data into Splunk. You can add data via SplunkWeb, Splunk's CLI, scripts and 3rd party software. To get started quickly and simply, you can immediately begin tailing a file in a log file directory, such as /var/log.


When you first access SplunkWeb, there is a helpful action link to begin tailing /var/log locally:


Image:30_admin1_findindex-largergettingstarted.jpg


There are many other ways to set up data inputs into Splunk. This section is a high-level description of these techniques. For more detailed methods, see the data inputs section.


Tail a file

When you specify a file to tail, Splunk will process the entire file and then watch and process additions to the file. When you give a directory name to process, Splunk recursively searches all subdirectories looking for files resembling log files. You can explicitly include or exclude files with whitelisting and blacklisting.


Tailing files via the SplunkWeb Admin Interface

  • Click the Data Inputs tab.
  • The first row is the Files and Directories option. Click the Add input link under the Action heading.
  • Under the Source heading
    • Select Tail from the Data Access drop-down.
    • Type in the path to the file in the text box.

Tailing files via the CLI

Use the splunk add command. These commands assume you have set a Splunk environment variable. If you have not, you must navigate to $SPLUNK_HOME/bin and run the ./splunk command.


For example: 


splunk add tail /var/log/


This command tails all files in /var/log/.


Find logfiles

Splunk has a built-in command to search for potential log files to index. From the Splunk CLI, type:


splunk find logs "searchpath1;searchpath2;..."

This command will search for logs in any number of searchpaths.


The details of which directories and file types are ignored, as well as file size and modification date restrictions are defined in $SPLUNK_HOME/etc/findlogs.ini.


After logs are found, you will have the option of indexing some, all, or none of the files. If you answer Some, you will be prompted file-by-file.


Get help configuring your sources

New data sources can crop up daily. If you do not see the means to configure a data source to send the data you want to Splunk, be sure to look on SplunkBase or contact Splunk Support.

Retrieved from "http://www.splunk.com/base/Documentation/3.1.1/Admin/FindAndIndexData"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.