• General Information
  • General Info
    • What Is Splunk?
    • What problem does Splunk software solve?
    • Who uses Splunk?
    • How is Splunk used most often?
    • What is the ROI for deploying Splunk? Why should I use it?
    • When is your next release?
    • Is Splunk open source?
• Company Background
  • Company Background
    • When was the company founded? When was the product released?
    • Who are your investors? How much money have you raised?
    • What are your revenues? When do you expect to be profitable?
• How Splunk Works
  • Installation
    • How long does it take to install Splunk?
    • What is Splunk's impact on production systems, applications and networks? What is its memory footprint?
    • Which platforms does Splunk run on?
    • Does Splunk need agents?
  • Accessing data
    • What kind of data does Splunk support? Does Splunk support (name of product/log format here)?
    • Does Splunk integrate with any products?
    • Can Splunk access data on Windows? How?
    • Can Splunk access data on mainframes? How?
    • How does Splunk access data sources?
    • Can Splunk send alerts?
    • Can I generate reports with Splunk?
    • Does Splunk support compliance?
    • Does Splunk collect data securely and protect data integrity?
    • How does Splunk deal with logs from different time zones?
    • What if my logs don't have timestamps?
    • What are the differences between user levels (User, Power User, Admin) in Splunk when running with an enterprise license?
    • What language is Splunk written in?
  • Data Management
    • Does Splunk store copies of my log data?
    • How does Splunk store its data? Does it use a relational database? What database does it use?
    • How is the index structured?
    • Does Splunk compress the data it stores?
    • What are Splunk's storage requirements?
    • How much data can Splunk store online? How long can Splunk keep data online?
    • Can Splunk automatically retire older data? How do I avoid running out of disk space?
    • Splunk's stopped indexing my data. Is that because I exceeded my license limit?
    • How scalable is Splunk? How does Splunk scale?
    • How dense is the index?
  • Search
    • What search technology underlies Splunk? Lucene?
    • Does Splunk do correlation?
  • Licensing
    • What are the differences between the free and enterprise licenses?
    • What happens when my trial license expires?
    • Does indexing stop if I reach the limit of my license?
    • What happens when I exceed my license limit?
    • My 2.x license doesn't work with 3.0
• Purchasing Splunk
  • Purchasing Splunk
    • How much does Splunk cost? How is it licensed?
    • How do I know how much data I have?
    • Can I re-use the same license key on different servers?
    • What is Splunk's service and support offering?
    • Does Splunk offer installation assistance and other professional services?
    • Does Splunk offer training?
    • Can I schedule a demo with Splunk Sales?
    • Can I get an extension for my trial license?
• Splunk Base and the Splunk Community
  • SplunkBase and the Splunk Community
    • What is SplunkBase?
    • How do I use SplunkBase?
    • How does the Splunk Community fit with the Splunk software product?
    • How many members does the Splunk Community have?
    • Aren't there already a number of communities for systems administrators? Why should they come to SplunkBase?
• Customers and Partners
  • Customers and Partners
    • Who are your partners?
    • Who are your customers? How many customers does Splunk have?
    • Do you have a reseller program?
    • Do you OEM your product?
• Getting Started
  • Getting Started
    • How do I start?
    • I just installed Splunk with an enterprise and I'm trying to log into the web interface for the first time. It's asking me for a username and password. What are they?
    • How do I index a file?
    • I've gotten to my Splunk interface, but what do I search for?
    • Can I install a new version of Splunk over an older version, without losing any of my configurations or data?
• Accessing Data
  • Accessing Data
    • How can I customize the way Splunk handles my data?
    • How can I tell if all my data has been indexed?
    • I have more than 10,000 events indexed. Why don't they all show up when I run a "meta::all" search?
    • How do I configure Splunk to index archived (non-growing) files?
    • How do I configure Splunk to index live (constantly-growing) files?
    • Can I set up a live input of data from different hosts to my central Splunk server?
  • Windows
    • Does Splunk run on Windows?
• How Splunk Handles Data
  • How Splunk Handles Data
    • Splunk is handling multiple events as one. Splunk is splitting multiple line events in the wrong place. How do I fix that?
    • Splunk is not recognizing my timestamps correctly. How do I fix that?
    • I want to add custom fields such as user:: to the default fields like source::. How do I do that?
    • I have some sensitive data. Can I garble it before it gets indexed?
    • I want to search for messages in my email logs based on both sender and recipient, but these are recorded in different events with a common message id. Can Splunk handle that?
    • Does Splunk read milliseconds?
• Administration
  • Administration
    • I need to change the ports Splunk uses. How can I do this?
    • I want to clear out my index. How do I do that?
• Integrating and Extending Splunk
  • Integrating and extending Splunk
    • Can I use SOAP or REST to talk to Splunk from another application?
    • Can I send alerts based on Splunk search results?
• Troubleshooting
  • Troubleshooting
    • I type in a term I know is in my data. Why don't I get any results?
    • I go to the URL for my Splunk server and there's nothing there. What do I do?
    • Splunk starts but Splunkd won't start. What do I do?
    • The webserver is saying splunkd is down but it isn't. What is the matter?
    • I'm running low on disk space. What do I do?
    • I've made some config changes, but I'm not sure if they're working.
    • My 2.x license doesn't work with 3.0
    • I can't export results in Internet Explorer 6
• Getting Help
  • Getting Help
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?

Accessing Data

How can I customize the way Splunk handles my data?

See the Admin Manual for information on configuring Splunk to handle a variety of data types.

How can I tell if all my data has been indexed?

The total number of events in your index is listed on your Splunk homepage. For more information, click the "Admin" link in the upper right corner of the homepage. The Admin page includes an Input Status tab that lists each method of data input, including which methods are still processing files.

Splunk for index::splunklogger to see the history of everything your server has done since startup.

I have more than 10,000 events indexed. Why don't they all show up when I run a "meta::all" search?

A Splunk search defaults to the most recent 10,000 events, almost always sorted by time. To see up to 20,000 events, add maxresults::20000 to your search.

How do I configure Splunk to index archived (non-growing) files?

In your Splunk web interface, choose Admin > Data Inputs > Files and Directories and add a directory. Choose "Watch and copy" or "Watch and symlink" in the dropdown under source.

How do I configure Splunk to index live (constantly-growing) files?

In your Splunk web interface, choose admin > Data Inputs > Files and Directories and add a file or directory. Choose "Tail" in the dropdown under source.

Can I set up a live input of data from different hosts to my central Splunk server?

Yes, for both the free and enterprise license (although an enterprise license makes it a lot easier).

If you have a free license, either mount your remote log files, or use remote syslog to send data from your production hosts to a syslog file on the Splunk server. Then, load this data into your Splunk Server. If you have an enterprise license, you can install Splunk on your production hosts to access local data and forward from those Splunk servers to your central Splunk server in real time over TCP. All your options for deploying Splunk across a network are described in our Deployment section.