Documentation: 3.1.4
Print Version Contents
This page last updated: 01/23/08 02:01pm

inputs.conf

inputs.conf configures all inputs to Splunk including file and directory tailing and watching, network ports and scripted inputs.

For help configuring inputs via inputs.conf, see configure inputs via inputs.conf.

inputs.conf.spec

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains possible attribute/value pairs for controlling Splunk Server input configuration.
#
# There is an inputs.conf in the default bundle.  To set custom configurations, place a
# inputs.conf in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.
#
#

# A configuration looks like:

[<inputtype>://<path>]
attribute1 = val1
attribute2 = val2
...

# The precedence rules are the same as in props.conf.spec.

# A configuration without a set of attribute/value pairs will use the
# attribute/value pairs set in $SPLUNK_HOME/etc/bundles/default/inputs.conf.

The possible attributes/value pairs for ALL input types are:

host = <string>
        * Set the host value of your input to a static value.
        * "host::" is automatically prepended to the value when this shortcut is used.

index = <string>
        * Set the index where events from this input will be stored.
        * "index::" is automatically prepended to the value when this shortcut is used.

source = <string>
         * Set the source name of events from this input. 
        * "source::" is automatically prepended to the value when this shortcut is used.

sourcetype = <string>
         * Set the sourcetype name of events from this input.
        * "sourcetype::" is automatically prepended to the value when this shortcut is used.

reportinghost = <string>
         * Set the reporting host name of events from this input.
         * "reportinghost::" is automatically prepended to the value when this shortcut is used.

<KEY> = <string>
        * This generically associates <string> with <KEY> for all events from this
    input.
        * For example "Foo = bar" would automatically prepend "foo::bar" to your events.

# Valid <inputtypes> follow, with input-specific attributes listed as well.

# TAIL:
  [tail://<path>]
        * This directs Splunk to watch all files in the <path>. 
        * <path> can be an entire directory or just a single file.

# Additional attributes:

host_regex = <regular expression>
        * If specified, the specified regex will extract the host from the filename of each input. 
        * Specifically, the first group of the regex is used as the host. 
        * If the regex fails to match, the default "host =" attribute is used.

host_segment = <integer>
        * If specified, the specified '/' separated segment of the path will be set as host. 
        * If the value is not an integer, or is less than 1, the default "host =" attribute is used.

_whitelist = <regular expression>
        * If set, files from this path will be tailed only if they match the specified regex.

_blacklist = <regular expression>
        * If set, files from this path will NOT be tailed if they match the specified regex.

crcSalt = <string>
        * If set, this string will be added to the CRC. 
        * This can be used to force Splunk to consume files that have matching CRCs.
        * If the string <SOURCE> is specified, then the full source path will be added to the CRC.

followTail = 0|1
    * If set to 1, monitoring will begin at the end of the file (like tail -f).
    * This will only apply to files the first time they are picked up.
    * After that, Splunk's internal file position records keep track of the file. 

# BATCH:

[batch://<path>]
    * Same as tailing, except Splunk uses the batch file loader.

# Additional attributes:
    
move_policy = {passive_symlink, passive_copy, sinkhole} (passive_symlink)
        * Set the file handling policy. 
        * The "sinkhole" policy deletse the files as they are read.
        * The other two methods link or copy the files into a separate directory. 

host_regex (see Tailing)
host_segment (see Tailing)

The following are not used by the batch loader:
source = <string>
<KEY>  = <string>

# TCP: 

[tcp://<remote server>:<port>]
        * Configure Splunk to listen on a specific port. 
        * If a connection is made from <remote server>, this stanza is used to configure the input.
        * If <remote server> is blank, this stanza matches all connections on the specified port.

# Additional attributes:

connection_host = {ip,dns}
        * If "ip" is set, the TCP input processor will rewrite the host with the ip address of the remote server.
        * If "dns" is set, the host will be rewritten with the DNS entry of the remote server.
        * Defaults to ip.

# Data distribution:

[Splunktcp://<remote server>:<port>]
        * This is the same as TCP, except the remote server is assumed to be a Splunk Server. 
        * For Splunktcp, the host or connection_host will be used if the remote Splunk Server does not 
        set a host, or if the host is setto host::localhost. 
        * Note that attributes like index should be set on the forwarding server.

# Additional attributes:

queue = <string> (parsingPipeline)
        * Specify where the TCP input processor should deposit the events that it reads.

  
# SSL settings:

[SSL]
serverCert=<path>
        * Full path to the server certificate.
        
password=<string>
        * Server certificate password, if any.

rootCA=<string>
        * Certificate authority list (root file).
        
dhfile=<path>
        * Path to the dhfile.pem.
        * Optional.

requireClientCert=<true|false>
        * Set whether it is required that a client to authenticates

# UDP:
[udp://:<port>]
        * Similar to TCP, except that it listens on a UDP port.

# Additional attributes:

_rcvbuf = <int>
        * Specify the receive buffer for the UDP port.  
        * If the value is 0 or negative, it will be ignored.  
        * The default value for Splunk is 1MB (the default in the OS varies).

# FIFO:

[fifo://<path>]
    * This directs Splunk to read from a FIFO at the specified path.

# Scripted Input:
[script://<cmd>]
        * Will run the command "cmd" at a configured interval and index the output.  
        * The command must reside in the <Splunk_home>/etc/bundles/$YOUR_BUNDLE/bin directory.    

interval = <integer>
        * How often to execute the specified command (in seconds).
        * If interval is not specified, it will default to 60 seconds.

inputs.conf.example

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# The following are examples of input configurations.
# To use one or more of these configurations, copy the configuration block into
# inputs.conf in $SPLUNK_HOME/etc/bundles/local/ (or your own custom bundle).

# This configuration directs Splunk to read all the files in the
# directory /var/log.

[tail:///var/log]

# This configuration directs Splunk to read all the files under
# /var/log/httpd and classify them as sourcetype::access_common.

[tail:///var/log/httpd]
sourcetype = access_common

# This configuration directs to Splunk to read all the files under
# /mnt/logs. It will set the hostname by file to <host> when the
# path is /mnt/logs/<host>/...

[tail:///mnt/logs]
host_segment = 3

# This configuration directs Splunk to listen on TCP port 9997
# for raw data from ANY remote server (not just a Splunk instance). The "host" of the data will be
# set as the IP address of the remote server.

[tcp://:9997]

# This configuration directs Splunk to listen on TCP port 9995
# for raw data from ANY remote server. The "host" of the data will be
# set as the host name of the remote server. All data will also be
# assigned the sourcetype "log4j" and the source "tcp:9995"

[tcp://:9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995

# This configuration directs Splunk to listen on TCP port 9994
# for raw data from 10.1.1.10. All data will be assigned the
# host "webhead-1", the sourcetype "access_common" and the
# the source "//10.1.1.10/var/log/apache/access.log"

[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log

# This configuration directs Splunk to listen on TCP port 9996
# for distributed search data from ANY remote server. The data will be
# delivered directly to the indexer on the local machine without any
# further processing. The "host" of the data will be set to the
# host name of the remote server ONLY IF the remote data has no host
# set, or if it is set to "localhost."

[splunktcp://:9996]
queue = indexQueue
connection_host = dns

# This configuration directs Splunk to listen on TCP port 9998
# for Distributed Search data from only 10.1.1.100. The data will be
# processed just as is locally harvested data.

[splunktcp://10.1.1.100:9996]

# This configuration directs the server to listen on TCP port 514
# for data from syslog.corp.company.net. The data will be assigned the
# sourcetype "syslog" and the "host" of the data will be set as the
# host name of the remote server.

[tcp://syslog.corp.company.net:514]
sourcetype = syslog
connection_host = dns
Previous: indexes.conf    |    Next: literals.conf

Comments

No comments have been submitted.

Log in to comment.