Documentation: 3.2.2
Print Version Contents
This page last updated: 04/02/08 12:04pm

Configure inputs via Splunk Web

Follow these instructions to configure data inputs via Splunk Web. You can also configure data inputs via Splunk's CLI or a configuration file.

Configuration

  • Click Admin in the upper right-hand corner of Splunk Web.
  • Then click the Data Inputs Tab. Pick from the following input categories:
  • All - Display and access to the following data inputs categories:
    • FIles & Directories - Display and access configuration of each path being read by Splunk.
    • FIFO Queues - Display and access configuration of each FIFO being processed by Splunk.
    • Network Ports - Display and access configuration for UDP and TCP ports.
  • Click the Add Inputs link next to a category to configure new inputs. Pick from the following options,

Files and directories

  • Under the Source heading, pick a Data Access method:
    • Spool:
      • Copy a file on the server into Splunk via the sinkhole directory.
    • Tail:
      • A file or directory continuously monitored for new input to index.
    • Upload:
      • Upload a file from your local machine into Splunk.
    • Watch and copy:
      • Copy files from a directory into Splunk.
    • Watch and symlink:
      • Same as watch and copy; creates a symlink instead of copying the files.
  • Then, specify the pathname to the file or directory. If you select the Upload method, you are presented with a Browse... button.
  • Under the Host heading, select the host name. You have several choices if you are using Tail or Watch methods. Learn more about setting host value.
  • Now set the Source Type. Source type is a default field added to events. Source type is used to determine processing characteristics such as timestamps and event boundaries. Learn more about setting source type.
  • After specifying the source, host, and source type, click the Add button.

FIFO queues

  • Under the Source heading, type in the path to the FIFO.
  • Under the Host heading, accept the default host name or enter a new hostname/IP address.
  • Under the Source Type heading choose:
    • From List:
      • select one of the pre-defined source types from the drop-down list.
    • Manual:
      • label your own source type in the text box.
  • Click the Add button.

Network ports

With a Splunk Enterprise license, you can define input from any TCP or UDP port.

  • Under the Source heading, select Protocol of UDP or TCP.
  • Accept the default port, 9998, or enter another port number.
  • Specify whether this port should accept connections from all hosts or one host.
    • If you specify one host, enter the IP address of the host.
  • Under the Source Type heading choose:
    • From List:
      • select one of the pre-defined source types from the drop-down list.
    • Manual:
      • label your own source type in the text box.
  • Click the Add button.
Previous: How input configuration works    |    Next: Configure inputs via the CLI

Comments

  1. spool is only for a file -- the naming is a bit confusing, but the functionality (in Splunk Web) is essentially the same as upload, except you are uploading a file from the server running Splunk instead of a file from your local machine (assuming these are two different boxes). under the hood, spool copies a file into the sinkhole directory. if you want to recursively copy files, you can a) set up your own sinkhole dir with a script to copy files in or b) use tail.

    this functionality will be updated shortly. please send any enhancement requests to support@splunk.com so they can keep track of them.
    Posted by emma on Apr 02 2008, 12:14pm

  2. Thanks for the updates Emma. They look good. One quick correction to the section you added. When doing a "Spool" from the web interface, you can't specify a directory. It wants a file name. The only way you can do a directory is by using a wild card. (ie.. /home/user/logs/*). I haven't tried it from the CLI to see if it has the same restriction, so you may want to verify.

    Any chance of adding a feature request for this functionality? It would be nice to be able to spool a directory recursively. It would also be nice to have the "regex in path" and "segment in path" functionality for host names when spooling directories.
    Posted by meeas on Mar 12 2008, 8:54am

  3. when you upload a file, it does get written to disk first. there's a hard 10G limit, but we advise that you don't attempt to upload files larger than 500 MB (depending on your system's capabilities).

    if you're not able to upload directly into Splunk Web, try copying the file into the spool directory: $SPLUNK_HOME/var/spool/splunk/.
    Posted by emma on Mar 10 2008, 2:51pm

  4. i've posted descriptions of each input type here. hope that helps!
    Posted by emma on Mar 10 2008, 2:43pm

  5. Also, I've seen strange behavior when I use the upload feature when used with large (>100MB) files, such as locking up my browser. Does it write the file to disk before indexing, or does it try to index as it receives it via HTTP?
    Posted by meeas on Mar 10 2008, 1:17pm

  6. It may be helpful for you to clarify what "Spool" does here. Its explains it in the CLI section, but I suspect the majority of your users will try to do it via the web interface and never look at the CLI section.
    Posted by meeas on Mar 10 2008, 1:14pm

Log in to comment.