This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
If you're using distributed input you will need to configure your receiving server (or servers) first. These are the Splunk instances that will be receiving and indexing data from other Splunk hosts. You need these servers to be in place before you configure the forwarding servers.
If you're using a single server deployment, follow these steps first to set up your index to handle data properly then proceed to the next step on the same server to get your inputs and data processing working.
Splunk has a default data retention policy. You may want to keep your data around longer, age it out sooner, or set up a script to back it up. You can set the data retention policy on each of the receiving servers to reflect your data retention needs.
Decide who gets access to the server. Then, set up user accounts for them. You can use either Splunk's built-in user authentication method, or you can set up LDAP.
You will need to set up your receiving servers to accept incoming connections from the forwarding servers. You can set up receiving via SplunkWeb or the CLI.
If you have decided to change Splunk's data segmentation policy, you will need to make changes to segmenters.conf. You can set Splunk to break only on specific characters. Changing segmentation affects index size and, consequently, storage space.