• Getting Started
  • About the getting started section
  • Installation
  • Start Splunk for the first time
  • Administration Basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Add Data
    • Tail a file
    • Find logfiles
    • Get help configuring your sources
  • Add more users
    • User roles
    • Splunk local users
    • LDAP
  • Start searching
• How Splunk Works
  • How Splunk Works
    • About Splunk
    • Indexing
    • User interaction
    • Users and access controls
    • Distributed deployments
    • Configuration
    • SplunkBase
    • Developer APIs and integration features
    • Licensing
• Configuring a Splunk Deployment
  • About the deployment section
  • Choose a Deployment Model
    • Single server
    • Distributed input
    • Distributed indexing
    • Data redundancy
    • Partitioning
    • Forwarding to non-Splunk systems
    • LDAP integration
  • Decide how Splunk should index your data
    • Create additional indexed fields
    • Tweak default processing
    • Mask sensitive data
    • Change indexing density
    • Eliminate processing steps
    • Filter and route data
  • Install Splunk on every host
  • Configure the receiving servers
    • Data policy
    • Authentication
    • Receiving
    • Segmentation
  • Configure the forwarding servers
    • Define server classes
    • Inputs
    • Processing properties
    • Data distribution
    • Data policy
    • Authentication
  • Set up the deployment server
    • Configure the deployment server
    • Set up deployment classes
• Data Inputs
  • How input configuration works
    • Data input types
    • Indexing properties
  • Configure inputs via SplunkWeb
    • Configuration
    • Files and directories
    • FIFO queues
    • Network ports
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
    • Examples
  • Configure inputs via inputs.conf
    • Configuration
  • Index SNMP events with Splunk
  • Scripted inputs
    • Configuration
    • Example
  • Add binary files
    • Configuration
    • Example
  • log4j
    • External Links
  • Dynamic metadata assignment
    • Configuration
    • Set values with a script
  • File whitelisting / blacklisting
    • Configuration
    • Example
    • Verification tool
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via SplunkWeb
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via SplunkWeb
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Sources and source types
    • How sourcetype:: values are set
    • Custom indexing linked to source types
    • Eliminate processing steps
    • Configuration files for source types
  • Set source type for an input
    • via SplunkWeb
    • via configuration files
  • Set a source type for a source
    • via configuration files
  • Train Splunk on a sourcetype
    • via the CLI
  • Create an alias for a source type
    • via SplunkWeb
  • Rule-based association of sourcetypes
    • Source type precedence
    • Configuration
    • Examples
• Timestamp Recognition
  • How Splunk recognizes timestamps
    • Timestamp precedence
    • Configuration files for timestamps
  • Configure Splunk to recognize a timestamp
    • Positional timestamp extraction
    • Specify timestamp format
    • Set time zone
    • Set Splunk to use the European date format
  • Train Splunk to recognize timestamps
    • About training
    • via the CLI
  • How to configure timezone offsets
    • Configuration
    • Posix TZ formats
    • Examples
  • Tune Timestamping
    • Turn off timestamp lookahead
• Events
  • How events work
    • Event or event type
    • How event recognition works
    • Configuration files for event boundaries
  • Large events
  • Multiline events
    • Configuration
    • Examples
  • Mask sensitive data in an event
    • Configuration
  • Character set
    • Character set specification
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Auto-discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Save event types via SplunkWeb
    • Configuration
    • Example
  • Tag event types
    • Configuration
  • Configure auto-discovery
    • Configuration
    • Example
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
• Meta Events
  • How meta events work
    • Transitive meta events
    • Configuration files for meta events
  • Configure meta events
    • Configuration
    • Examples
• Fields
  • How fields work
    • Search fields vs extracted fields
    • Disable fields entirely
    • Configuration files for fields
  • Create additional search fields
    • Configuration
    • Example
  • Define additional extracted fields
    • Configuration
    • Example
  • Field actions
    • Configuration
  • Define extracted fields in meta events
    • Configuration
    • Example
• Segmentation
  • How segmentation works
    • Configuration files for segmentation
  • Configure segmentation
    • Inner segmentation
    • Outer segmentation
    • No segmentation
  • Enable custom segmentation
    • Configuration
    • Example
• Saved Searches and Alerts
  • How saved searches work
    • Saved searches
    • Alerting
  • Set up saved searches
    • via SplunkWeb
    • via configuration files
  • Set up alerts
    • via SplunkWeb
    • via configuration files
    • Script options
  • Send SNMP traps
    • Configuration
  • Send syslog events
    • Configuration
    • Example
  • Form searches
    • Create a form search
    • Form searches with fields
    • Form searches with predefined values
    • Share your form search
• Authentication
  • How authentication works
  • SSL
    • Configuration
    • SSL for SplunkWeb
  • Enable HTTPS
    • configuration
  • Set up users
  • Set up LDAP
    • Configure your Authentication Strategy via SplunkWeb
    • Configure Splunk to use your LDAP server
    • Determine your User and Group Base DN
    • Map existing LDAP groups to Splunk Roles
    • Test your LDAP configuration
    • Sample configurations
• Granular Access Control
  • How Granular Access Control works
    • Configuration files for access controls
  • Configure access controls
    • Granting access through roles
    • Users, groups and roles
    • Configuration
    • Example
• Data Distribution
  • How data distribution works
    • Data forwarding
    • Data routing
    • Data cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lite-weight forwarding and routing
  • Configure outputs.conf
    • Configuration
    • Optional attributes
  • Set up routing
    • Configuration
    • Examples
  • Route data to third-party systems
    • Configuration
    • Example
  • Enable cloning
  • Set up SSL
    • Forwarder
    • Receiver
  • Set up data balancing
    • Configuration
    • Example
  • Filtering and routing
    • Configuration
    • Example
  • Route specific events to an alternate index
    • Configuration
    • Example
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via SplunkWeb
  • Enable distributed search via the CLI
    • Configuration
  • Configuration files for distributed search
  • Users in a distributed search setup
  • Exclude specific Splunk servers from distributed searches
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Create a deployment server
    • Configuration
    • Examples
  • Configure deployment clients
    • Enable the client and server
    • Sync the server and client
  • Configuration changes after initial deployment
  • Using Splunk with 3rd Party configuration management systems
• Index Management
  • How Index Management Works
    • Data management
    • Configuration files for index management
  • Add or Remove an index
    • Create an index
    • Delete an index
  • Move an index
    • Configuration
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Set retirement policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restore archived data
    • Restore with resurrect
    • Restore a copied index archive
  • Export event data
    • Export from the CLI
    • Export from the GUI
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Set up a WORM datastore
  • Delete data from the index
    • Delete everything
    • Delete a subset of events
• Bundles
  • What are Bundles?
  • How to create a bundle
  • Configure bundles
    • Making a bundle
  • Bundle directory structure
  • Bundle precedence
  • Bundle best practice
    • Testing bundles
• SplunkBase
  • Why use SplunkBase?
  • Sharing add-ons on SplunkBase
    • Creating Add-ons
    • Best practices for making add-ons containing Splunk configuration
    • Submit your add-on
  • Finding and downloading add-ons on SplunkBase
    • Implementing add-ons from SplunkBase
  • Looking up events on SplunkBase
    • Configuration
  • Security and privacy considerations
  • Control user access to SplunkBase
• Performance Tuning
  • Performance tuning Splunk
    • Hardware considerations
    • Increase indexing performance
    • Increase search speed
    • Improve storage efficiency
    • Reduce the CPU and memory footprint
    • Utilize multiple CPUs
    • 64-bit operating systems
    • Virtual machines
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • eventdiscoverer.conf
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • Tuning indexes.conf
    • Tuning props.conf
    • Make SplunkWeb search faster
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Virtual machines
• Routine Maintenance
  • System backups
    • Backups in 3 Easy Steps
  • Monitoring Splunk
    • via SplunkWeb
• How-To
  • Make SplunkWeb search faster
    • Enable core fields only
    • Disable related
    • Disable typeahead
  • Harden a Splunk server
  • Secure network connections
  • Restore a failed server
  • Change data policy to recover space
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Public server setup
  • Determine daily volume
  • Determine what files Splunk will be tailing
    • Running listtails
  • Set up auto-refresh
  • Upgrade your license for more data
  • How to use Splunk 2 Nagios
    • What Nagios logs
    • Install the Splunk2Nagios integration
  • Restore a blocked license
  • Customize the built-in help module
  • Configure GUI Timeout
  • Configure the Get Started module
  • Disable SplunkWeb
    • Edit web.conf
    • Run the disable command
    • Re-enable SplunkWeb
  • Configure OPSEC LEA Input
    • Installation
    • Checkpoint Modification
    • Configuration
  • Place Splunk behind a web proxy
    • Scenario:
    • Solution:
  • Cancel Search
  • Strip syslog headers before processing
  • Reconstitute Logs
    • Export event data
    • CLI search
  • Estimate the size of your Splunk index and associated data
• Troubleshooting
  • Splunkd is down
  • Splunk logfiles
    • Internal logs
    • debug
    • log.cfg
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • Cannot access License & Usage tab
    • I installed my license in a Preview release and now it doesn't work!
  • Unable to get a properly formatted response from the server
  • Contact Support
    • Work with Splunk Support
    • Log levels and starting in debug mode
• Reference
  • Splunk CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • Configuration file list
  • access_controls.conf
    • access_controls.conf.spec
    • access_controls.conf.example
  • alert_actions.conf
    • alert_actions.conf.spec
    • alert_actions.conf.example
  • auth.conf
    • auth.conf.spec
    • auth.conf.example
  • deployment.conf
    • deployment.conf.spec
    • deployment.conf.example
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
    • eventdiscoverer.conf.example
  • eventtypes.conf
    • eventtypes.conf.spec
    • eventtypes.conf.example
  • field_actions.conf
    • field_actions.conf.spec
    • field_actions.conf.example
  • indexes.conf
    • indexes.conf.spec
    • indexes.conf.example
  • inputs.conf
    • inputs.conf.spec
    • inputs.conf.example
  • literals.conf
    • literals.conf.spec
    • literals.conf.example
  • metaevents.conf
    • metaevents.conf.spec
    • metaevents.conf.example
  • outputs.conf
    • outputs.conf.spec
    • outputs.conf.example
  • prefs.conf
    • prefs.conf.spec
    • prefs.conf.example
  • props.conf
    • props.conf.spec
    • props.conf.example
  • savedsearches.conf
    • savedsearches.conf.spec
    • savedsearches.conf.example
  • segmenters.conf
    • segmenters.conf.spec
    • segmenters.conf.example
  • server.conf
    • server.conf.spec
    • server.conf.example
  • transforms.conf
    • transforms.conf.spec
    • transforms.conf.example
  • user-seed.conf
    • user-seed.conf.spec
    • user-seed.conf.example
  • web.conf
    • web.conf.spec
    • web.conf.example

Configure inputs via the CLI

In addition to using Splunk Web or editing inputs.conf, you can also use Splunk Command Line Interface (CLI) commands to configure data inputs.

To access Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory. Use a CLI command by typing $SPLUNK_HOME/bin/splunk [command name].

Note: Add Splunk to your shell path to use commands from any directory (by typing ./splunk [command name]).

Data input commands

Use Splunk CLI data commands to perform actions on data sources. Commands and data sources take various parameters depending on the combination you use. You can use five different commands to configure data inputs in the CLI:

• Add and configure initial input settings with the add command.
• Use spool to add a file, or directory by reading it only once.
• Make changes to an input source location, source host name, or input destination with edit.
• List your currently configured inputs with list.
• Remove a currently configured input with remove.

Note: Splunk's CLI help pages contain detailed syntax and usage information on all commands, objects, and parameters. Access the main CLI help page by typing: $SPLUNK_HOME/bin/splunk help. Individual commands, objects, and parameters have their own help pages as well, type: $SPLUNK_HOME/bin/splunk help [command/object/parameter name]

Data input types

You must specify a data input type to use with a data input command.

Change the configuration of each data input type by defining the parameters below.

Note: Optional parameters have the syntax: -parameter value.

Note: Use only one -hostname, -hostregex or -hostsegmentnum per command.

tail parameters

Required parameters

source

Path to the file or directory to monitor for new input.

Optional parameters

sourcetype	Specify a sourcetype field value for events from the input source.
index	Specify the destination index for events from the input source.
hostname	Specify a host name to set as the host field value for events from the input source.
hostregex	Specify a regular expression on the source file path to set as the host field value for events from the input source.
hostsegmentnum	Set the number of segments of the source file path to set as the host field value for events from the input source.
active-only	(T | F) True or False. Set true to tell Splunk to only keep indexing files that have write-permissions enabled.
follow-only	(T | F) True or False. Default False. When set to True, Splunk will read from the end of the source (like the "tail -f" Unix command).

watch parameters

Required parameters

source

Path to a directory to watch for new input.

Optional parameters

method	Set the method to bring files into Splunk (symlink or copy). Default is symlink.
sourcetype	Specify a sourcetype field value for events from the input source.
index	Specify the destination index for events from the input source.
hostname	Specify a host name to set as the host field value for events from the input source.
hostregex	Specify a regular expression on the source file path to set as the host field value for events from the input source.
hostsegmentnum	Set the number of segments of the source file path to set as the host field value for events from the input source.

fifo parameters

Required parameters

source

Path to a FIFO or named pipe to index.

Optional parameters

sourcetype	Specify a sourcetype field value for events from the input source.
index	Specify the destination index for events from the input source.
hostname	Specify a host name to set as the host field value for events from the input source.
hostregex	Specify a regular expression on the source file path to set as the host field value for events from the input source.
hostsegmentnum	Set the number of segments of the source file path to set as the host field value for events from the input source.

tcp & udp parameters

Required parameters

source

Port number to listen for data to index.

Optional parameters

sourcetype	Specify a sourcetype field value for events from the input source.
index	Specify the destination index for events from the input source.
hostname	Specify a host name to set as the host field value for events from the input source.
remotehost	Specify an IP address to exclusively accept data from.
resolvehost	Set True of False (T | F). Default is False. Set True to use DNS to set the host field value for events from the input source.

Examples

tail

Tail only writable files in /var/log/.

1. Add /var/log/ as a data input.

./splunk add tail /var/log/

2. Edit the input you added to tail only files that are still open for writing.

./splunk edit tail /var/log -active-only true

watch

Watch a directory and set host and sourcetype field values for each event that's indexed.

1. Add a watch to the directory /mnt/archive and set the host field value for events from the source to be the third segment of the file name.

./splunk add watch /mnt/archive -hostsegmentnum 3

2. Edit the input configuration to set the sourcetype field value for each event from the source to equal "myApp".

./splunk edit watch /mnt/archive -sourcetype myApp

fifo

Configure a FIFO input and set the host and sourcetype field values for each event that's indexed.

1. Add the FIFO input /var/run/syslogfifo and set the sourcetype field for each event from the source to equal "linux_messages_syslog".

./splunk add fifo /var/run/syslogfifo -sourcetype linux_messages_syslog

2. Edit the input configuration to set the host field value for all events from the source to equal "web01".

./splunk edit fifo /var/run/syslogfifo -hostname web01

tcp & udp

Configure a network input and set the sourcetype field value for each event that's indexed.

1. Configure a UDP input to watch port 514 and set the sourcetype field value for each event to equal "syslog".

./splunk add udp 514 -sourcetype syslog

2. Set the UDP input to use DNS to resolve the host name and set each event's host value to the resolved host name. You must have root access for ports under 1024. Use the auth parameter to authenticate in line.

./splunk edit udp 514 -resolvehost true -auth gwb:d3c1dr