This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Splunk is search software for any type of data. Learn more about how Splunk works by reading through this introductory page. You'll find many links here for installing, configuring and customizing your Splunk installation.
Splunk has several options for configuration: a Web interface (Splunk Web), a command line interface (the CLI), and configuration files. Most of Splunk's configuration can be accomplished by using the Admin page of Splunk Web, and the CLI. Configure advanced settings through configuration files.
Installing Splunk is easy and fast. These instructions show you how to install, upgrade, or back up an existing copy of Splunk.
Important: It's a good idea to back up your current instance before you upgrade.
Splunk is capable of receiving data in a variety of ways. Read on for a brief description of each input type. For a more in-depth description of inputs, read how input configuration works.
Splunk for Windows comes with its own set of configuration files for setting up Windows-specific inputs, including Windows registry and WMI. Read more about configuring Windows inputs.
Configure distributed inputs and outputs across your network. Send data between one Splunk instance and another, or third party software. For an overview on all the available configuration options, see How data distribution works.
Splunk takes all data from inputs and sends it to an indexing pipeline. Data is then broken up into separate events via segmentation rules. Most data is segmented and timestamped correctly. However, you may wish to configure Splunk to index your data in particular ways. Learn more about how indexing works.
Here are some things you might want to consider:
Configuration for indexing is set mostly through props.conf and transforms.conf.
Fields are a useful aspect of Splunk's search interface. You can use Splunk's built-in fields that are enabled by default. Here's a list of Splunk's default fields, including links to more in-depth documentation:
You can also create your own fields. Custom fields are useful for:
To learn more about creating custom fields, see how fields work.
Splunk's search interface is useful for tracking down different aspects of your data. Here are a few things you can do with your searches:
For a more detailed overview of search, see how search works.
In a distributed set up, you may want to search across multiple instances of Splunk. Enable distributed search to federate searches across your entire Splunk deployment. Read more about how distributed search works.
Secure your Splunk server with the following security configuration options. Here's a brief overview of the available features. For a more detailed overview, see security options.
Splunk includes several authentication options, including:
Use the following options to enable separate auditing configurations:
$SPLUNK_HOME/etc/ directory for configuration changes.
_audit.
Splunk servers often index large amounts of data each day. You may want to enable advanced settings to handle the following data management scenarios.
Note: Many data management settings are enabled on a per-index basis, using indexes.conf. To learn more about indexes, see how indexes work.
In a distributed set up, enable one or more Splunk instances as deployment servers. A deployment server pushes out configuration changes to other Splunk instances.
For a complete overview of all deployment options, read the Deployment manual. For instructions on configuring and enabling the deployment server and clients, read the Admin manual section on the deployment server.
The following options help you tune Splunk's performance for your environment. Depending on your system and requirements, you may want to change one or more of the following settings:
A more in-depth overview of performance tuning options is available here.
Many of Splunk's advanced configurations and customizations are available only through configuration files. Create configurations by copying files into a custom application directory. Learn more about application directories and configuring application directories.
Applications are directories of configuration files with specific purposes. Configure your own applications by following these instructions.
You can also share your configuration file directories as applications with the Splunk community on SplunkBase.
Pimp your Splunk! Everybody's data is a little bit different. Maybe you want to set custom configurations for the system you're running Splunk on. Here are options for personalizing your Splunk instance.
Change various aspects of Splunk Web's appearance:
Splunk includes a REST API. Read the Developer's Guide to learn more about the REST API. To configure additional REST endpoints, use restmap.conf.
If there's something you need help with, even after reading the documentation, contact Splunk support.
If there's a feature you don't see here that you want included, file an enhancement request with Splunk support.
We're always interested in your feedback.