• How Splunk Works
  • Overview of Splunk
    • Configuration options
    • Installation and upgrade
    • Data inputs
    • Indexing
    • Fields
    • Search
    • Security
    • Data management
    • Deployment server
    • Performance tuning
    • Configuration files
    • Applications
    • Customization
    • Troubleshooting
• Getting Started
  • Start Splunk
    • Before you start
    • Start Splunk on non-Windows platforms
    • Start Splunk on Windows
    • Load Splunk Web in your browser
  • Administration basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Add Data
    • Tail a file
    • Find logfiles
  • Add more users
    • Splunk local users
  • Start searching
• Data Inputs
  • How input configuration works
    • Files and directories
    • Network ports
    • Scripted inputs
    • Indexing properties
  • Configure inputs via Splunk Web
    • Configuration
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
  • Configure inputs via inputs.conf
    • Configuration
    • Global settings
    • Input types
    • Examples
  • Configure inputs for Windows
  • Scripted inputs
    • Configuration
    • Example
  • Configure whitelist and blacklist rules
    • Whitelist (allow) files
    • Blacklist (ignore) files
    • Verify your lists
  • Log file rotation
    • How log rotation works
  • Strip syslog headers before processing
    • Configuration
    • Example
  • Determine what files Splunk is tailing
    • Run listtails
  • Index SNMP events with Splunk
  • log4j
• Data Distribution
  • How data distribution works
    • Forwarding
    • Routing
    • Cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lightweight forwarding
  • Configure outputs.conf
    • Configuration
    • Example
  • Set up routing
    • Configuration
    • Examples
  • Filtering and routing
    • Configuration
    • Example
  • Route specific events to an alternate index
    • Configuration
    • Example
  • Set up SSL
    • Forwarder
    • Receiver
  • Enable cloning
  • Set up data balancing
    • Configuration
    • Example
  • Route data to third-party systems
    • Configuration
    • Example
• Indexing
  • How indexing works
    • How events work
    • How segmentation works
  • Configure event boundaries
    • Configuration
    • Examples
  • Configure segmentation
    • Inner segmentation
    • Outer segmentation
    • No segmentation
    • Splunk Web segmentation
  • Enable custom segmentation
    • Configuration
    • Example
  • Mask sensitive data in an event
    • Configuration
  • Character set
    • Character set specification
  • Dynamic metadata assignment
    • Configuration
    • Set values with a script
• Timestamps
  • How timestamp extraction works
    • Precedence rules for timestamp assignment
    • Configure timestamps
  • Configure timestamp extraction
    • Configure timestamp extraction in props.conf
    • Enhanced strptime() support
    • Examples
  • Configure timezone offsets
    • Configure timezone offsets in props.conf
    • zoneinfo (TZ) database
    • Configure timezone offsets for Splunk versions before 3.2
  • Configure European date formats
    • Configure European date format in literals.conf
    • Use the timeformat modifier
  • Configure positional timestamp extraction
    • Configure positional timestamp extraction in props.conf
  • Tune timestamp extraction for better indexing performance
    • Adjust timestamp lookahead
    • Turn off the timestamp processor
  • Train Splunk to recognize a timestamp
    • Steps to train Splunk to recognize a timestamp
    • Run the train command
    • Edit datetime.xml
    • Edit props.conf
• Fields
  • How fields work
    • Search time vs indexed time
    • Configure fields
    • Disable automatically extracted fields
    • Configuration files for fields
  • Create indexed fields via configuration files
    • Configuration
    • Example
  • Create extracted fields via configuration files
    • Configuration
    • Example
    • Extract fields from multi-line events
  • Create extracted fields via Splunk Web
    • Configuration
  • Field actions
    • Configuration
  • Configure fields.conf
    • Configuration
  • Configure multi-value fields
    • Configure multi-value fields in fields.conf
    • Example
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via Splunk Web
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via Splunk Web
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Source vs source type
    • How sourcetype= values are set
    • Source type precedence
    • Custom indexing linked to source types
    • Eliminate processing steps
    • Configuration files for source types
  • Set source type for an input
    • via Splunk Web
    • via configuration files
    • dynamically
  • Set source type for a source
    • via configuration files
  • Train Splunk on a source type
    • via the CLI
  • Create an alias for a source type
    • via Splunk Web
  • Rule-based association of sourcetypes
    • Configuration
    • Examples
  • Source type settings in props.conf
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Event type discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Save event types via Splunk Web
    • Configuration
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Tag event types
    • Configuration
  • Event type discovery
    • Configure event types
  • Event type templates
    • Configuration
    • Example
  • Dynamic event rendering
    • How dynamic event rendering works
    • Configure dynamic event rendering
    • Example
• Transaction Types
  • How transaction types work
    • Define transactions
    • Sample use cases
  • Transaction types via configuration files
    • Configuration
    • Example
  • Transaction search
    • Transactions and macro search
• Search
  • How search works
    • Saved searches
    • Alerting
    • Live Tail
  • Set up saved searches
    • via Splunk Web
  • Set up saved searches via savedsearches.conf
    • Configuration
    • Example
  • Set up alerts via Splunk Web
    • Set up an alert
    • Specify which fields to show
  • Set up alerts via savedsearches.conf
    • alerting options
    • display options
    • Script options
    • Example
  • Customize alert options
    • Email options
    • Additional alert customizations
  • Form searches
    • Create a form search
    • Form searches with fields
    • Form searches with predefined values
    • Share your form search
  • Macro searches
    • Configure a macro search
  • Live Tail
    • Use Live Tail in Splunk Web
    • The Live Tail interface
    • Start Live Tail from the Splunk CLI
    • Current limitations
  • Send syslog events
    • Configuration
    • Example
  • Send SNMP traps
    • Configuration
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via Splunk Web
  • Enable distributed search via the CLI
    • Configuration
  • Configure distributed search via distsearch.conf
    • Configuration
    • Example
  • Exclude specific Splunk servers from distributed searches
• Security
  • Security options
    • Authentication
    • Audit
  • Enable HTTPS
    • Configuration
    • Certs
  • SSL
    • Configuration
  • Configure roles
    • Configuration
    • Example
  • Set up LDAP
    • Configure LDAP
    • Example
    • Known issues with LDAP
  • Scripted authentication
    • Known issues with scripted auth
    • Configuration
    • Script commands
    • Example
  • File system change monitor
    • How the file system change monitor works
    • Configure the file system change monitor
  • Audit events
    • Audit event composition
    • Audit event generation
    • Audit event storage
    • Audit event processing
    • Search for audit events
  • Audit event signing
    • How audit event signing works
    • Configure audit event signing
  • Event hashing
    • How event hashing works
    • Event hashing in search results
    • Configure custom decorations for Splunk Web
    • Configure event hashing
    • Configure filtering
  • IT data signing
    • How IT data signatures work
    • Configure IT data signing
    • View the integrity of IT data
    • Performance implications
  • Archive signing
    • How archive signing works
    • Verify archived data signatures
    • Configure coldToFrozen scripts
    • Sign or verify your data slices
• Data Management
  • How index management works
    • Data management
    • Configuration files for index management
  • Add or remove an index
    • Create an index
    • Delete an index
  • Remove (delete) data
    • Remove event data from an index
    • Remove global data
    • Remove user data
    • Remove all data
    • Remove events from search results
  • Move an index
    • Configuration
  • Set retirement policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restore archived data
    • Restore with resurrect
    • Restore a copied index archive
  • Export event data
    • via the CLI
    • via Splunk Web
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Set up a WORM datastore
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Configuration
    • Example
  • Configure server classes
    • Configuration
    • Example
  • Configure deployment clients
    • Enable clients via the CLI
    • Enable clients via deployment.conf
    • Example
  • Sync the server and client
    • Configuration changes
• Performance Tuning
  • Performance tuning Splunk
    • Hardware considerations
    • Increase indexing performance
    • Increase search speed
    • Improve storage efficiency
    • Reduce the CPU and memory footprint
    • Utilize multiple CPUs
    • 64-bit operating systems
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • indexes.conf
    • props.conf
    • web.conf
    • fields.conf
    • Configure Splunk Web
  • Cache report results
    • Install and configure the reportcache script
    • Set up and test reportcache
    • Use cached data
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Splunk backup options
    • Back up configurations
    • Back up your entire installation
• Configuration Files
  • How do configuration files work?
    • Configuration file directory structure
    • Configuration file precedence
  • Configure bundle directories
    • Make a bundle directory
    • Bundle best practice
  • Configuration file list
• Applications
  • How applications work
    • Plan your application
    • Apply the Splunk Application Standard to your data
    • Build your application
    • Test your application
    • Package your application to share
    • Share your application on SplunkBase
  • Splunk application standard
    • Standard fields
    • Standard event type tags
    • Standard host tags
  • Apply the Splunk Application Standard to your data
    • Step 1: Determine which data you need to work with
    • Step 2: Check SplunkBase for existing data source applications
    • Step 3: Create any remaining data source applications
  • Install Splunk applications
    • Customize an application's event types
    • Customize an application's fields
    • Customize an application's inputs
    • Customize an application's saved searches and alerts
    • Customize an application's reports
  • How to use Splunk-2-Nagios
    • What Splunk-2-Nagios does
    • What Nagios logs
    • Install Splunk-2-Nagios
    • Deployment notes
  • Splunk-2-Netcool
    • System Requirements
    • Install Splunk-2-Netcool
    • Using Splunk-2-Netcool
    • More documentation, help, and support
  • Configure OPSEC LEA Input
    • Install the OPSEC LEA input application
    • Checkpoint Modification
    • Configuration
  • Install and configure Splunk for PCI
    • Install the application
    • Configure the application
• Reference
  • Splunk logfiles
    • Internal logs
    • debug
    • log.cfg
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • alert_actions.conf
    • alert_actions.conf.spec
    • alert_actions.conf.example
  • audit.conf
    • audit.conf.spec
    • audit.conf.example
  • authentication.conf
    • authentication.conf.spec
    • authentication.conf.example
  • authorize.conf
    • authorize.conf.spec
    • authorize.conf.example
  • decorations.conf
    • decorations.conf.spec
    • decorations.conf.example
  • deployment.conf
    • deployment.conf.spec
    • deployment.conf.example
  • distsearch.conf
    • distsearch.conf.spec
    • distsearch.conf.example
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
    • eventdiscoverer.conf.example
  • eventtypes.conf
    • eventtypes.conf.spec
    • eventtypes.conf.example
  • fields.conf
    • fields.conf.spec
    • fields.conf.example
  • field_actions.conf
    • field_actions.conf.spec
    • field_actions.conf.example
  • indexes.conf
    • indexes.conf.spec
    • indexes.conf.example
  • inputs.conf
    • inputs.conf.spec
    • inputs.conf.example
  • literals.conf
    • literals.conf.spec
    • literals.conf.spec
  • multikv.conf
    • multikv.conf.spec
    • Example
  • outputs.conf
    • outputs.conf.spec
    • outputs.conf.example
  • prefs.conf
    • prefs.conf.spec
    • prefs.conf.example
    • prefs.conf.example
  • props.conf
    • props.conf.spec
  • props.conf (cont)
    • props.conf.spec, continued
    • props.conf.example
  • restmap.conf
    • restmap.conf.spec
    • restmap.conf.spec
  • savedsearches.conf
    • savedsearches.conf.spec
    • savedsearches.conf.example
  • segmenters.conf
    • segmenters.conf.spec
    • segmenters.conf.example
  • server.conf
    • server.conf.spec
    • server.conf.example
  • source-classifier.conf
    • Configuration
    • Example
  • sourcetypes.conf
    • Configuration
    • Example
  • streams.conf
    • streams.conf.example
  • transactiontypes.conf
    • transactiontypes.conf.spec
    • transactiontypes.conf.example
  • transforms.conf
    • transforms.conf.spec
    • transforms.conf.example
  • user-seed.conf
    • user-seed.conf.spec
    • user-seed.conf.example
  • web.conf
    • web.conf.spec
    • web.conf.example
• Troubleshooting
  • Contact Support
    • infoGather
    • Log levels and starting in debug mode
    • Debug Splunk Web
    • Core Files
    • LDAP configurations
  • Splunkd is down
    • Splunkd may need a few more seconds to come up
    • Your license file contains line-breaks or other hidden characters
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • I installed my license in a Preview release and now it doesn't work!
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Unable to get a properly formatted response from the server
  • Command line tools
    • btool
    • classify
    • exporttool
    • gzdumper
    • listtails
    • locktest
    • locktool
    • parsetest
    • pcregextest
    • regextest
    • searchtest
    • signtool
    • tsidxprobe

Enable forwarding and receiving

Set up forwarding and receiving via Splunk Web or Splunk's CLI. To set up more sophisticated forwarding configurations, see this page on configuring outputs.conf.

You can set up two types of forwarders: standard and lightweight. If you configure a standard forwarder, it indexes the data before forwarding it to the receiving Splunk host. When you configure a lightweight forwarder, it sends un-indexed data to the receiving Splunk host. If you are using both types of forwarders, you must specify a different port for each type.

You must set up receiving before setting up forwarding. This way, the Splunk receiving host is prepared for the forwarded data.

Once you have enabled a Splunk instance to forward or receive data, you can configure additional settings, such as routing, cloning, filtering or data balancing. Configuration changes are done on the forwarder side, on the host that is reading the data input.

Note: An Enterprise license is required on each receiver node. Splunk instances that are forwarding can continue to use the free license. For customers with a valid support agreement that require authentication for all Splunk instances please contact support and request a forwarder license. This special forwarder license can be re-used on all forwarding instances.

Receiving

via Splunk Web

• Navigate to Splunk Web on the server that will receive data for indexing.

• Click the Admin link in the upper right hand corner of Splunk Web.

• Select the Distributed tab.

• Click Receive Data.

• To begin receiving data:
  • Set the radio button to Yes.
  • Specify the port that you want Splunk to listen on. This is also the port that Splunk instances use to forward data to this server.
  • Click the Save button to commit the configuration. You must restart the server for your changes to take effect.

via the CLI

Enable receiving from Splunk's CLI. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. Also, add Splunk to your path and use the splunk command.

To log in:

./splunk login
Splunk username: admin
Password: 

To enable receiving:

# ./splunk enable listen 42099 -auth admin:changeme
Listening for Splunk data on TCP port 42099.

To disable receiving:

# ./splunk disable listen -auth admin:changeme
No longer listening for Splunk TCP data.
You need to restart the Splunk Server for your changes to take effect.

Forwarding

You must first configure your receiving Splunk host using the instructions above before configuring forwarders.

via Splunk Web

• Navigate to Splunk Web on the server that will be forwarding data for indexing.
• Click the Admin link in the upper right-hand corner of Splunk Web.
• Select the Distributed tab.
• Click Forward Data.

To begin forwarding data:

• Set the Forward data to other Splunk Servers? radio button to Yes.
• Specify whether you want to keep a copy of the data local in addition to forwarding or just forward. Keeping a local copy allows you to search from the local server, but requires more space and memory.
• Specify the Splunk server(s) and port number to forward data to. The port number should be the same one that you specified when you configured receiving.
• Click the Save button to commit the configuration. You need to restart the server for your changes to take effect.

via Splunk CLI

Enable forwarding from the Splunk CLI. Navigate to your $SPLUNK_HOME/bin directory on the forwarding server and log in to the CLI. Also add Splunk to your path and use the splunk command.

./splunk login
Splunk username: admin
Password: 

To enable forwarding:

# ./splunk add forward-server 10.2.2.2:9999 -auth admin:changeme

To disable forwarding:

# ./splunk remove forward-server 10.2.2.2:9999 -auth admin:changeme

Lightweight forwarding

If you have installed Splunk on a server generating event data, you may want to forward events to a central Splunk server for indexing. This decreases the workload on the forwarding server. To further reduce the work performed on the forwarding side, enable lightweight forwarding. With a lightweight forwarder, all optional processing is moved to the indexing server. Specifically a lightweight forwarding modifies the server to:

• Turn off Splunk internal logging (via $SPLUNK_HOME/etc/bundles/local/inputs.conf).
• Eliminate batch, exec, fifo, tcp, and udp input modules from splunkd (which decreases memory utilization).
• Replace splunkd.xml with splunkd.xml.forwarder.

You must first configure your receiving Splunk host using the instructions above before configuring forwarders.
Additionally, if you have deployed both standard and lightweight forwarders, you must ensure that each type of forwarder is sending to its own port on the receiver.

With lightweight forwarding, timestamp and host processing still happen on the forwarding side so that this data is accurate.

Configuration

Turn lightweight forwarding on and off with Splunk's CLI. To use Splunk's CLI, navigate to $SPLUNK_HOME/bin/ and use the ./splunk command. You can also add Splunk to your path and use the splunk command.

To enable lightweight forwarding, use this CLI command on the forwarding server:

./splunk set server-type forwarder

To disable lightweight forwarding, use this CLI command on the forwarding server:

./splunk set server-type default

To use a scripted input on your lightweight forwarder, you need to re-enable the exec processor. To do this, go into $SPLUNK_HOME/etc/modules/input/exec and copy the existing config.xml.default to config.xml. This enables the module and on restart it will be inserted into the pipeline.

Transplant Parsing from Forwarder

By default, the lightweight forwarder still parses data with props.conf (i.e. character encoding, timestamp extraction, line-merging) on the forwarder and then sends the parsed data to be indexed. Although parsing is not nearly as resource intensive as indexing, you may still want to avoid doing it on the forwarder.

To disable parsing on the forwarder, configure inputs.conf for each input, or as a global setting:

queue=indexQueue 

On the receiving side, the default for splunktcp input is to skip parsing and send data directly to be indexed. To change this, inputs.conf must specify:

[splunktcp://<remote server>:<port>]
queue=parsingQueue