This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
When you use Splunk, you are working with data in a Splunk index. In general, this manual assumes that a Splunk admin has already added data to your Splunk index. If this is the case, you can skip right to the "Search and investigate" chapter in this manual.
Read on to:
Splunk can index any IT data from any source in real time. Point your servers or network devices' syslog at Splunk, set up WMI polling, monitor any live logfiles, enable change monitoring on your filesystem or the Windows registry, schedule a script to grab system metrics, and more. No matter how you get the data, or what format it's in, Splunk will index it the same way — without any specific parsers or adapters to write or maintain. It stores both the raw data and the rich index in an efficient, compressed, filesystem-based datastore — with optional data signing and auditing if you need to prove data integrity.
When adding data to Splunk, you have a variety of flexible input methods to choose from: Splunk Web, Splunk's CLI, and the inputs.conf configuration file.
You can add most data sources using Splunk Web. If you have access to the configuration files, you can use inputs.conf, which has more extensive configuration options. Any changes you make using Splunk Web or the Splunk CLI are written to inputs.conf.
The "Add data to your indexes" topic briefly outlines the general procedure for using Splunk Web to add new data. For more specifc information about configuring inputs, see the "Add data and configure inputs" chapter in the Admin manual.
You'll notice that we use the term "index" to refer to a couple of different things. First and foremost, when Splunk indexes new data, it processes the raw data to make it searchable. Second, when we talk about Splunk indexes, we mean the data store where Splunk stores all or parts of the data. So, when you index new data, Splunk stores the data in indexes. Additionally, when you search, you're matching against data in one or multiple indexes.
When you add an input to Splunk, that input gets added relative to the App you're in. Some Apps, like the *nix and Windows Apps that ship with Splunk, write input data to a specific index (in the case of *Nix and Windows, that is the 'os' index). If you're not finding data that you're certain is in Splunk, be sure that you're searching the right index.
For the Splunk user, this is all you need to know before you begin searching and learning more about your data. If you want to read more about managing the data in your indexes, see the "Manage indexes" chapter in the Admin manual.