Documentation:
3.2.3
This page last updated: 02/28/08 12:02am
inputs.conf
inputs.conf configures all inputs to Splunk including file and directory tailing and watching, network ports and scripted inputs.
For help configuring inputs via inputs.conf, see configure inputs via inputs.conf.
inputs.conf.spec
# This file contains possible attributes and values you can use to configure inputs,
# distributed inputs and file system monitoring in inputs.conf.
#
# There is an inputs.conf in $SPLUNK_HOME/etc/bundles/default/. To set custom configurations,
# place an inputs.conf in your own custom bundle directory. For examples, see inputs.conf.example.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
#
#******************************************************************************
# GLOBAL SETTINGS:
# The following attributes/value pairs are valid for ALL input types
#******************************************************************************
host = <string>
* Set the host value of your input to a static value.
* "host::" is automatically prepended to the value when this shortcut is used.
index = <string>
* Set the index where events from this input will be stored.
* "index::" is automatically prepended to the value when this shortcut is used.
source = <string>
* Set the source name of events from this input.
* "source::" is automatically prepended to the value when this shortcut is used.
sourcetype = <string>
* Set the sourcetype name of events from this input.
* "sourcetype::" is automatically prepended to the value when this shortcut is used.
queue = <string> (parsingQueue, indexQueue, etc)
* Specify where the input processor should deposit the events that it reads.
* Can be any valid, existing queue in the pipeline.
#******************************************************************************
# Valid <inputtypes> follow, with input-specific attributes listed as well.
#******************************************************************************
#******************************************************************************
# TAIL:
#******************************************************************************
[tail://<path>]
* This directs Splunk to watch all files in the <path>.
* <path> can be an entire directory or just a single file.
# Additional attributes:
host_regex = <regular expression>
* If specified, the regex will extract host from the filename of each input.
* Specifically, the first group of the regex is used as the host.
* If the regex fails to match, the default "host =" attribute is used.
host_segment = <integer>
* If specified, the '/' separated segment of the path will be set as host.
* If the value is not an integer, or is less than 1, the default "host =" attribute is used.
_whitelist = <regular expression>
* If set, files from this path will be tailed only if they match the specified regex.
_blacklist = <regular expression>
* If set, files from this path will NOT be tailed if they match the specified regex.
Wildcards and tailing:
... = will recurse through directories until the match is met.
* = will match anything in that specific path segment. It cannot be used inside of a directory path,
it must be used in the last segment of the path.
crcSalt = <string>
* If set, this string will be added to the CRC.
* This can be used to force Splunk to consume files that have matching CRCs.
* If the string <SOURCE> is specified, then the full source path will be added to the CRC.
followTail = 0|1
* If set to 1, monitoring will begin at the end of the file (like tail -f).
* This will only apply to files the first time they are picked up.
* After that, Splunk's internal file position records keep track of the file.
#******************************************************************************
# BATCH:
#******************************************************************************
[batch://<path>]
* Same as tailing, except Splunk uses the batch file loader.
* This is for files that are closed for writing.
* For open files, use tail.
# Additional attributes:
move_policy = {passive_symlink, passive_copy, sinkhole}
* Set the file handling policy.
* The "sinkhole" policy deletse the files as they are read.
* The other two methods link or copy the files into a separate directory.
* Defaults to passive_symlink.
host_regex (see Tailing)
host_segment (see Tailing)
# IMPORTANT: The following are not used by the batch loader:
source = <string>
<KEY> = <string>
#******************************************************************************
# TCP:
#******************************************************************************
[tcp://<remote server>:<port>]
* Configure Splunk to listen on a specific port.
* If a connection is made from <remote server>, this stanza is used to configure the input.
* If <remote server> is blank, this stanza matches all connections on the specified port.
# Additional attributes:
connection_host = {ip,dns}
* If "ip" is set, the TCP input processor will rewrite the host with the ip address of the remote server.
* If "dns" is set, the host will be rewritten with the DNS entry of the remote server.
* Defaults to ip.
#******************************************************************************
# Data distribution:
#******************************************************************************
[Splunktcp://<remote server>:<port>]
* This is the same as TCP, except the remote server is assumed to be a Splunk Server.
* For SplunkTCP, the host or connection_host will be used if the remote Splunk Server does not
set a host, or if the host is set to host::localhost.
* See documentation in the Admin guide for help configuring forwarding.
# SSL settings for data distribution:
[SSL]
serverCert=<path>
* Full path to the server certificate.
password=<string>
* Server certificate password, if any.
rootCA=<string>
* Certificate authority list (root file).
dhfile=<path>
* Path to the dhfile.pem.
* Optional.
requireClientCert=<true|false>
* Toggle whether it is required for a client to authenticate.
#******************************************************************************
# UDP:
#******************************************************************************
[udp://:<port>]
* Similar to TCP, except that it listens on a UDP port.
# Additional attributes:
_rcvbuf = <int>
* Specify the receive buffer for the UDP port.
* If the value is 0 or negative, it will be ignored.
* The default value for Splunk is 1MB (the default in the OS varies).
#******************************************************************************
# FIFO:
#******************************************************************************
[fifo://<path>]
* This directs Splunk to read from a FIFO at the specified path.
#******************************************************************************
# Scripted Input:
#******************************************************************************
[script://<cmd>]
* Will run the command "cmd" at a configured interval and index the output.
* The command must reside in the <Splunk_home>/etc/bundles/$YOUR_BUNDLE/bin directory.
interval = <integer>
* How often to execute the specified command (in seconds).
* If interval is not specified, it will default to 60 seconds.
passAuth = <username>
* User that this script should be run as.
* If a username is provided, Splunk generates an auth token for that user and passes it to the script via stdin.
#******************************************************************************
# File System Monitoring:
#******************************************************************************
[fschange:<directory or file to monitor>]
* Monitor all add/update/deletes to this directory and sub directories.
* Sends an event for every change.
# Additional attributes:
filters=<filter1>,<filter2>,...<filterN>
* Each filter is applied left to right for each file or directory found during the monitors poll cycle.
* See "File System Monitoring Filters" below for help defining a filter.
recurse=<true | false>
* If true, recurse directories within the directory specified in [fschange].
* Defaults to true.
followLinks=<true | false>
* Follow symbolic links if true.
* It is recommended that you do not set this to true or file system loops may occur.
* Defaults to false.
pollPeriod=N
* Check this directory for changes every N seconds.
* Defaults to 3600.
hashMaxSize=N
* Calculate a SHA256 hash for every file that is <= N size in bytes.
* This hash is used as an addional method for detecting change in the file/directory.
* Defaults to -1 (disabled).
fullEvent=<true | false>
* Set to true to send the full event if an add or update change is detected.
* Further qualified by the 'sendEventMaxSize' attribute.
* Defaults to false.
sendEventMaxSize=N
* Only send the full event if the size of the event is less than or equal to N bytes.
* This limits the size of indexed file data.
* Defaults to -1, which is unlimited.
signedaudit=<true | false>
* Send cryptographically signed add/update/delete events.
* NOTE: You MUST enable auditing in audit.conf.
* Defaults to false.
index=<indexname>
* The index to store all events generated.
* Defaults to _audit.
# File System Monitoring Filters:
[filter:<filtertype>:<filtername>]
* Define a filter of type 'filtertype' and name it 'filtername.'
<filtertype>
* Filter types can be 'blacklist' or 'whitelist.'
* A whitelist filter processes all files names that match the regex list.
* A blasklist filter skips all file names that match the regex list.
<filtername>
* The filter name is used in the comma separated list when defining a file system monitor.
regexN=<regex>
* Blacklist and whitelist filters can include a set of regexes.
* The name of each regex MUST be 'regexN', where N starts at 1 and increments.
* Each regex will be applied in numeric order:
regex1=<regex>
regex2=<regex>
...# This is an example inputs.conf. Use this file to configure data inputs. # # There is an inputs.conf in the default directory ($SPLUNK_HOME/etc/bundles/default/). # To set custom configurations, place an inputs.conf in your own custom bundle directory. [tail:///var/log] # This configuration directs Splunk to read all the files in the directory /var/log. [tail:///var/log/httpd] sourcetype = access_common # This configuration directs Splunk to read all the files under /var/log/httpd and classify them # as sourcetype::access_common. [tail:///mnt/logs] host_segment = 3 # This configuration directs Splunk to read all the files under /mnt/logs. When the path is # /mnt/logs/<host>/... this will set the hostname (by file) to <host>. [tcp://:9997] # This configuration directs Splunk to listen on TCP port 9997 for raw data from ANY remote server # (not just a Splunk instance). The host of the data is set to the IP address of the remote server. [tcp://:9995] connection_host = dns sourcetype = log4j source = tcp:9995 # This configuration directs Splunk to listen on TCP port 9995 for raw data from ANY remote server. # The host of the data is set as the host name of the remote server. All data will also be # assigned the sourcetype "log4j" and the source "tcp:9995." [tcp://10.1.1.10:9995] host = webhead-1 sourcetype = access_common source = //10.1.1.10/var/log/apache/access.log # This configuration directs Splunk to listen on TCP port 9994 for raw data from 10.1.1.10. # All data is assigned the host "webhead-1", the sourcetype "access_common" and the # the source "//10.1.1.10/var/log/apache/access.log." [splunktcp://:9996] queue = indexQueue connection_host = dns # This configuration directs Splunk to listen on TCP port 9996 for distributed search data from ANY # remote server. The data is delivered directly to the indexer on the local machine without any # further processing. The host of the data is set to the host name of the remote server ONLY # IF the remote data has no host set, or if it is set to "localhost." [splunktcp://10.1.1.100:9996] # This configuration directs Splunk to listen on TCP port 9998 for distributed search data from # 10.1.1.100. The data is processed the same as locally indexed data. [tcp://syslog.corp.company.net:514] sourcetype = syslog connection_host = dns # This configuration directs Splunk to listen on TCP port 514 for data from # syslog.corp.company.net. The data is assigned the sourcetype "syslog" and the host # is set to the host name of the remote server.
Comments
No comments have been submitted.