• How Splunk Works
  • Overview of Splunk
    • Configuration options
    • Installation and upgrade
    • Data inputs
    • Indexing
    • Fields
    • Search
    • Security
    • Data management
    • Deployment server
    • Performance tuning
    • Configuration files
    • Applications
    • Customization
    • Troubleshooting
• Getting Started
  • About the getting started section
  • Start Splunk
    • Before you start
    • Start Splunk on non-Windows platforms
    • Start Splunk on Windows
    • Load Splunk Web in your browser
  • Administration basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Add Data
    • Tail a file
    • Find logfiles
  • Add more users
    • Splunk local users
  • Start searching
• Data Inputs
  • How input configuration works
    • Files and directories
    • Network ports
    • Scripted inputs
    • Indexing properties
  • Configure inputs via Splunk Web
    • Configuration
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
  • Configure inputs via inputs.conf
    • Configuration
    • Global settings
    • Input types
    • Examples
  • Configure inputs for Windows
  • Scripted inputs
    • Configuration
    • Example
  • Configure whitelist and blacklist rules
    • Whitelist (allow) files
    • Blacklist (ignore) files
    • Verify your lists
  • Log file rotation
    • How log rotation works
  • Strip syslog headers before processing
    • Configuration
    • Example
  • Determine what files Splunk is tailing
    • Run listtails
  • Index SNMP events with Splunk
  • log4j
• Data Distribution
  • How data distribution works
    • Forwarding
    • Routing
    • Cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lightweight forwarding
  • Configure outputs.conf
    • Configuration
    • Example
  • Set up routing
    • Configuration
    • Examples
  • Filtering and routing
    • Configuration
    • Example
  • Route specific events to an alternate index
    • Configuration
    • Example
  • Set up SSL
    • Forwarder
    • Receiver
  • Enable cloning
  • Set up data balancing
    • Configuration
    • Example
  • Route data to third-party systems
    • Configuration
    • Example
• Indexing
  • How indexing works
    • How events work
    • How segmentation works
  • Configure event boundaries
    • Configuration
    • Examples
  • Configure segmentation
    • Inner segmentation
    • Outer segmentation
    • No segmentation
    • Splunk Web segmentation
  • Enable custom segmentation
    • Configuration
    • Example
  • Mask sensitive data in an event
    • Configuration
  • Character set
    • Character set specification
  • Dynamic metadata assignment
    • Configuration
    • Set values with a script
• Timestamps
  • How timestamp extraction works
    • Precedence rules for timestamp assignment
    • Configure timestamps
  • Configure timestamp extraction in props.conf
    • Configuration
    • Enhanced strptime() support
    • Examples
  • How to configure timezone offsets
    • Configuration
    • Posix TZ formats
    • Examples
  • Tune Timestamping
    • Turn off timestamp lookahead
  • Train Splunk to recognize timestamps
    • About training
    • via the CLI
• Fields
  • How fields work
    • Search time vs indexed time
    • Configure fields
    • Disable automatically extracted fields
    • Configuration files for fields
  • Create indexed fields via configuration files
    • Configuration
    • Example
  • Create extracted fields via configuration files
    • Configuration
    • Example
    • Extract fields from multi-line events
  • Create extracted fields via Splunk Web
    • Configuration
  • Field actions
    • Configuration
  • Configure fields.conf
    • Configuration
  • Configure multi-value fields
    • Configure multi-value fields in fields.conf
    • Example
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via Splunk Web
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via Splunk Web
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Source vs source type
    • How sourcetype= values are set
    • Source type precedence
    • Custom indexing linked to source types
    • Eliminate processing steps
    • Configuration files for source types
  • Set source type for an input
    • via Splunk Web
    • via configuration files
    • dynamically
  • Set source type for a source
    • via configuration files
  • Train Splunk on a source type
    • via the CLI
  • Create an alias for a source type
    • via Splunk Web
  • Rule-based association of sourcetypes
    • Configuration
    • Examples
  • Source type settings in props.conf
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Event type discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Save event types via Splunk Web
    • Configuration
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Tag event types
    • Configuration
  • Event type discovery
    • Configure event types
  • Event type templates
    • Configuration
    • Example
  • Dynamic event rendering
    • How dynamic event rendering works
    • Configure dynamic event rendering
    • Example
• Search
  • How search works
    • Saved searches
    • Alerting
    • Live Tail
  • Set up saved searches
    • via Splunk Web
  • Set up saved searches via savedsearches.conf
    • Configuration
    • Example
  • Set up alerts via Splunk Web
    • Set up an alert
    • Specify which fields to show
  • Set up alerts via savedsearches.conf
    • alerting options
    • display options
    • Script options
    • Example
  • Customize alert options
    • Email options
    • Additional alert customizations
  • Form searches
    • Create a form search
    • Form searches with fields
    • Form searches with predefined values
    • Share your form search
  • Macro searches
    • Configure a macro search
  • Transaction search
    • Transactions and macro search
  • Live Tail
    • Use Live Tail in Splunk Web
    • The Live Tail interface
    • Start Live Tail from the Splunk CLI
    • Current limitations
  • Send syslog events
    • Configuration
    • Example
  • Send SNMP traps
    • Configuration
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via Splunk Web
  • Enable distributed search via the CLI
    • Configuration
  • Users in a distributed search setup
  • Exclude specific Splunk servers from distributed searches
• Security
  • Security options
    • Authentication
    • Audit
  • Enable HTTPS
    • Configuration
    • Certs
  • SSL
    • Configuration
  • Configure roles
    • Configuration
    • Example
  • Set up LDAP
    • Configure LDAP
    • Example
    • Known issues with LDAP
  • Scripted authentication
    • Commands
    • Example
  • File system change monitor
    • How the file system change monitor works
    • Configure the file system change monitor
  • Audit events
    • Audit event composition
    • Audit event generation
    • Audit event storage
    • Audit event processing
    • Search for audit events
  • Audit event signing
    • How audit event signing works
    • Configure audit event signing
  • Event hashing
    • How event hashing works
    • Event hashing in search results
    • Configure custom decorations for Splunk Web
    • Configure event hashing
    • Configure filtering
  • IT data signing
    • How IT data signatures work
    • Configure IT data signing
    • View the integrity of IT data
    • Performance implications
  • Archive signing
    • How archive signing works
    • Verify archived data signatures
    • Configure coldToFrozen scripts
    • Sign or verify your data slices
• Data Management
  • How index management works
    • Data management
    • Configuration files for index management
  • Add or remove an index
    • Create an index
    • Delete an index
  • Remove (delete) data
    • Remove event data from an index
    • Remove global data
    • Remove user data
    • Remove all data
    • Remove events from search results
  • Move an index
    • Configuration
  • Set retirement policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restore archived data
    • Restore with resurrect
    • Restore a copied index archive
  • Export event data
    • via the CLI
    • via Splunk Web
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Set up a WORM datastore
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Configuration
    • Example
  • Configure server classes
    • Configuration
    • Example
  • Configure deployment clients
    • Enable clients via the CLI
    • Enable clients via deployment.conf
    • Example
  • Sync the server and client
    • Configuration changes
• Performance Tuning
  • Performance tuning Splunk
    • Hardware considerations
    • Increase indexing performance
    • Increase search speed
    • Improve storage efficiency
    • Reduce the CPU and memory footprint
    • Utilize multiple CPUs
    • 64-bit operating systems
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • indexes.conf
    • props.conf
    • web.conf
    • fields.conf
    • Configure Splunk Web
  • Cache report results
    • Install and configure the reportcache script
    • Set up and test reportcache
    • Use cached data
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Splunk backup options
    • Back up configurations
    • Back up your entire installation
• Configuration Files
  • How do configuration files work?
    • Configuration file directory structure
    • Configuration file precedence
  • Configure bundle directories
    • Make a bundle directory
    • Bundle best practice
  • Configuration file list
• Applications
  • How applications work
    • Plan your application
    • Apply the Splunk Application Standard to your data
    • Build your application
    • Test your application
    • Package your application to share
    • Share your application on SplunkBase
  • Install Splunk applications
    • Customize an application's event types
    • Customize an application's fields
    • Customize an application's inputs
    • Customize an application's saved searches and alerts
    • Customize an application's reports
• Reference
  • Splunk Command Line Interface (CLI)
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
  • Splunk logfiles
    • Internal logs
    • debug
    • log.cfg
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • alert_actions.conf
    • alert_actions.conf.spec
    • alert_actions.conf.example
  • audit.conf
    • audit.conf.spec
    • audit.conf.example
  • authentication.conf
    • authentication.conf.spec
    • authentication.conf.example
  • authorize.conf
    • authorize.conf.spec
    • authorize.conf.example
  • decorations.conf
    • decorations.conf.spec
    • decorations.conf.example
  • deployment.conf
    • deployment.conf.spec
    • deployment.conf.example
  • distsearch.conf
    • distsearch.conf.spec
    • distsearch.conf.example
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
    • eventdiscoverer.conf.example
  • eventtypes.conf
    • eventtypes.conf.spec
    • eventtypes.conf.example
  • fields.conf
    • fields.conf.spec
    • fields.conf.example
  • field_actions.conf
    • field_actions.conf.spec
    • field_actions.conf.example
  • indexes.conf
    • indexes.conf.spec
    • indexes.conf.example
  • inputs.conf
    • inputs.conf.spec
    • inputs.conf.example
  • literals.conf
    • literals.conf.spec
    • literals.conf.spec
  • multikv.conf
    • multikv.conf.spec
    • Example
  • outputs.conf
    • outputs.conf.spec
    • outputs.conf.example
  • prefs.conf
    • prefs.conf.spec
    • prefs.conf.example
    • prefs.conf.example
  • props.conf
    • props.conf.spec
  • props.conf (cont)
    • props.conf.spec, continued
    • props.conf.example
  • restmap.conf
    • restmap.conf.spec
    • restmap.conf.spec
  • savedsearches.conf
    • savedsearches.conf.spec
    • savedsearches.conf.example
  • segmenters.conf
    • segmenters.conf.spec
    • segmenters.conf.example
  • server.conf
    • server.conf.spec
    • server.conf.example
  • source-classifier.conf
    • Configuration
    • Example
  • sourcetypes.conf
    • Configuration
    • Example
  • streams.conf
    • streams.conf.example
  • transactiontypes.conf
    • transactiontypes.conf.spec
    • transactiontypes.conf.example
  • transforms.conf
    • transforms.conf.spec
    • transforms.conf.example
  • user-seed.conf
    • user-seed.conf.spec
    • user-seed.conf.example
  • web.conf
    • web.conf.spec
    • web.conf.example
• Troubleshooting
  • Contact Support
    • infoGather
    • Log levels and starting in debug mode
    • Debug Splunk Web
    • Core Files
    • LDAP configurations
  • Splunkd is down
    • Splunkd may need a few more seconds to come up
    • Your license file contains line-breaks or other hidden characters
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • I installed my license in a Preview release and now it doesn't work!
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Unable to get a properly formatted response from the server
  • Command line tools
    • btool
    • classify
    • exporttool
    • gzdumper
    • listtails
    • locktest
    • locktool
    • parsetest
    • pcregextest
    • regextest
    • searchtest
    • signtool
    • tsidxprobe

License issues

If you are having trouble with your license, here are some things to look at.

Cannot login

To log in for the first time after applying an Enterprise license (converting from free), use the default username "admin" with the password "changeme". If you later clean (reset) your user data, your username/password is reset to this default.

If admin/changeme doesn't work and you just applied a new license to 3.x (not a beta,) then you may have the wrong type of license. 3.0 GA changed the license format, so previous versions (including licenses created for beta releases) do not work. A 3.x instance with a 2.x license advises you to contact support for a new license and not allow you to login with your username and password. A 2.x instance with a 3.x license only says Incorrect username or password when you try to log in.

If you are using a free license, switch to the new format license:

• Stop Splunk
  • ./splunk stop
• Copy your new license into $SPLUNK_HOME/etc/splunk.license or paste it into the License area in Splunk Web's Admin section.
• Start Splunk
  • ./splunk start

If you get a message that your license is invalid, check that it was correctly installed. Ensure the key does not have any added spaces or line breaks. Also, a valid Enterprise license key begins with the email address of the original recipient from the Splunk Store and is a single line with no spaces. (The free license begins "freelicense".) It may be a bare key or be enclosed in a block of XML like this:

<license>
    <user>freelicense</user>
    <expiration-date>2017-07-17</expiration-date>
    <creation-date>2007-07-17</creation-date>
    <bytelimit>500</bytelimit>
<licenseKey>freelicense;m9LkX5oOpeie+8cCsRg9fdmI6H/A1v0LQUkHx/0SsJMxsy9dXrAcNMgjxcU8j7crCR6tdewuozjNLsGRbPXWMoQf6f5etIIYHNo/WwH/3bJ04qJiq6GikRjg8ySqjcwvaSMLGS4a3CxHtKOwivqCZ+uS1wuiKaYSSZu5DYJMCfO6eAg1xvBQ+VOSmDW3NSVpFKiImrYwmeNqNyDHgaNKCZoF6h5WMYslpk7taF1cdLCaq3tvqwnPXqVGfK9Q+CnA3/vynnA+5WWcFH6fiTgI8nYFUYayb1s5FqjKCOjDpgDsLdLtpOQsEqxJbLFoPPP1tfv8KVKS0NfzZHYZkyNLXA==</licenseKey>
    <productName>free</productName>
</license>

metrics.log

The $SPLUNK_HOME/var/log/splunk/metrics.log file contains indexing statistics like events per second and throughput for various categories. It is not a complete accounting, however. Metrics entries report the top 10 items for each group over a 30 second period. For example, if you have 20 hosts, there will be a thruput_per_host record for the top 10 hosts by size of the input raw data for each period.

License violation warning

If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days. If you have more than 7 violations in a rolling 30-day window, you will be unable to search. Search access returns when you no longer have 7 violations in the previous 30 days or apply a different license with a larger volume limit. Note that Splunk will not stop indexing your data for a license violation but only block your access to it for the period you exceed your license.

To verify your license information in Splunk Web, go to the Admin page, License & Usage tab to verify your license information. Here you can see your License Level daily usage limit, Peak Usage and other information.

If you are adding compressed files, the size of the uncompressed data is counted towards your daily volume. Also, adding custom indexed fields or adding to the raw event text (with either a transform or a custom processor) increases your indexed volume. Internal Splunk events are not counted against your licensed volume.

Advanced license troubleshooting

From the CLI, use the command

splunk show license

to see the license summary:

Product:             Splunk Server
License Level:       10240 MB/day peak indexing
Peak Usage:          0.00 GB/day
Peak %:              0.0%
Expiration Date:     01/18/2038
Time Remaining:      11112 days

This search shows the periodic license check from splunkd, from the _internal index:

index::_internal audit NOT v3

The events returned actually come from $SPLUNK_HOME/var/log/splunk/splunkd.log, so you could also search for "Audit" in the file. This can be helpful for monitoring reported indexed volume over a longer period of time than what is kept in the _internal index. The cumulative daily data indexed is totalCumulativeBytesAtRollover and todaysBytesIndexed. These audit records are generated by splunkd a few times a day, so statistics on new events will not be immediately available.

You can set some additional debugging options to monitor usage and license information.

The file $SPLUNK_HOME/etc/log.cfg controls the level of messages are created in Splunk's own logfiles, from NONE to DEBUG. You can set category.LicenseManager=DEBUG to see additional information about your license. (Restart for changes to take effect.) The output, found in splunkd.log, looks like this:

08-17-2007 07:43:27.631 INFO  LicenseManager - Checking License
08-17-2007 07:43:27.632 DEBUG LicenseManager - Checking for byte-count quota reached. byteCountSinceMeterReset=0, byteLimit=10240M
08-17-2007 07:43:27.632 DEBUG LicenseManager - Byte-count quota not exceeded.
08-17-2007 07:43:27.632 DEBUG LicenseManager - Checking for expiration...
08-17-2007 07:43:27.632 DEBUG LicenseManager - ... license has not expired
08-17-2007 07:43:27.632 DEBUG LicenseManager - checklicense returned: 0

You can also view your license status with this Python script:

import httplib
import time

def rpc(body):
   conn = httplib.HTTPSConnection('localhost:8089')
   conn.connect()
   conn.request("POST", "/rpc/", body)
   response = conn.getresponse()
   reply = response.read()
   return reply 

def main(): 
   xml = '''<call name="getLicenseInfo">
        <params>
        </params>
         </call>'''

   print rpc(xml)

if __name__ == '__main__':
   main()

Save this in a file (like "licensecheck.py") and edit the url for the management port of your instance (including http or https, as appropriate.) Then run "python licensecheck.py". The output is a block of XML containing the details of your license and current status:

<licenseInfo>
    <expirationDate>2147483647</expirationDate>
    <issueDate>1185551536</issueDate>
    <remainingTimeOnLicense>960114900</remainingTimeOnLicense>
    <timeToMeterReset>51653</timeToMeterReset>
    <currentByteCount>0</currentByteCount>
    <byteLimit>10240</byteLimit>
    <peakBytesPerDay>0</peakBytesPerDay>
    <totalBytesProcessedAtRollover>0</totalBytesProcessedAtRollover>
    <numberRollovers>3</numberRollovers>
    <byteQuotaExceededCount>0</byteQuotaExceededCount>
    <lastExceededDate>0</lastExceededDate>
    <expirationState>0</expirationState>
    <errorString></errorString>
    <previouslyKeyed>false</previouslyKeyed>
    <product>pro</product>
    <type>prod</type>
<addons></addons>
<maxViolationsHit>0</maxViolationsHit>
</licenseInfo>

I installed my license in a Preview release and now it doesn't work!

Splunk's Preview releases require a different license that is not compatible with other Splunk releases. Alternately, if you are evaluating a Preview release of Splunk, it will not run with a Free or Enterprise license. The preview licenses will typically enable Enterprise features, they are just restricted to Preview releases.