Splunk.com | SplunkBase | Support

Documentation: 3.3.2

| Print Version Contents

How Splunk Works
- Overview of Splunk
Getting Started
- Start Splunk
- Administration basics
- Change defaults
- Find and index data
  - Monitor a file
  - Crawl for inputs
- Add more users
  - Splunk local users
  - Examples
- Start searching
Data Inputs
- How input configuration works
- Files and directories
- FIFO
- Network ports
- Scripted inputs
  - Configuration
  - Example
- Whitelist and blacklist rules
- Crawl
  - Configuration
  - Example
- Windows inputs
  - Configure indexing for Windows event logs
  - Configure Windows registry monitoring input
- Windows Management Interface (WMI) input
- Windows registry input
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Configure target groups in outputs.conf
  - Configuration
  - Example
- Set up routing
- Route specific events to different queues
- Route specific events to an alternate index
  - Configuration
  - Example
- Set up SSL
  - Forwarder
  - Receiver
- Enable cloning
- Set up data balancing
  - Configuration
  - Example
- Route data to third-party systems
  - Configuration
  - Example
Indexing
- How indexing works
  - How events work
  - How segmentation works
- Index multi-line events
  - Configuration
  - Examples
- Configure segmentation
  - Splunk Web segmentation
- Configure custom segmentation for a host, source, or source type
  - via props.conf
  - Example
- Mask sensitive data in an event
  - Configuration
- Configure character set encoding
- Dynamic metadata assignment
  - Configuration
  - Set values with a script
Timestamps
- How Splunk extracts timestamps
  - Precedence rules for timestamp assignment
  - Configure timestamps
- Configure timestamp extraction
- Apply timezone offsets
- Recognize European date format
  - Configure European date format in literals.conf
  - Use the timeformat modifier
- Configure positional timestamp extraction
  - Configure positional timestamp extraction in props.conf
- Tune timestamp extraction for better indexing performance
  - Adjust timestamp lookahead
  - Turn off the timestamp processor
- Train Splunk to recognize a timestamp
Fields
- How fields work
- Create fields via Splunk Web
- Create fields via configuration files
- Create indexed fields via configuration files
  - Configuration
  - Example
- Field actions
  - Configuration
  - Example
- Configure fields.conf
  - Configuration
- Configure multi-value fields
  - Configure multi-value fields via fields.conf
  - Example
- Configure tags
  - Configure tags with tags.conf files
  - Examples
- Automatic header-based field extraction
Hosts
- How host works
- Set default host for a Splunk server
  - via Splunk Web
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via Splunk Web
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
Source Types
- How source types work
- Rule-based association of source types
  - Configuration
  - Examples
- Set source type for an input
  - via Splunk Web
  - via configuration files
- Set source type for a source
  - via configuration files
- Train Splunk to recognize a source type
  - via the CLI
- Source type settings in props.conf
- Configure a source type alias
Event Types
- How event types work
- Save event types via Splunk Web
  - Configuration
- Configure eventtypes.conf
- Tag event types
  - Configuration
- Event type discovery
  - Configure event types
- Event type templates
  - Configuration
  - Example
- Dynamic event rendering
Transaction Types
- How transactions work
  - Transaction search
  - Configure transaction types
- Transaction types via configuration files
  - Configuration
- Transaction search
  - Search options
  - Transactions and macro search
Search
- How search works
- Set up saved searches via Splunk Web
  - Save your search
  - Schedule a saved search
- Set up saved searches via savedsearches.conf
  - Configuration
  - Example
- Create a form search
- Macro searches
  - Configure a macro search
- Configure summary indexing
  - Configuration
  - Manually configure summary indexing
- Live tail
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via Splunk Web
- Enable distributed search via the CLI
  - Configuration
- Configure distributed search via distsearch.conf
  - Configuration
  - Example
- Exclude specific Splunk servers from distributed searches
Alerts
- How Alerts Work
- Set up alerts via Splunk Web
- Set up alerts via savedsearches.conf
- Scripted Alerts
  - Script options
  - Example
- Customize alert options
  - Configuration
- Send SNMP traps
  - Configuration
  - Configure your alert to call a shell script
Security
- Security options
  - Authentication
  - Audit
- Enable HTTPS
  - Configuration
  - Certificates
- SSL
  - Configuration
- Configure roles
  - Configuration
  - Example
- Set up LDAP
- Scripted authentication
- File system change monitor
  - How the file system change monitor works
  - Configure the file system change monitor
- Audit events
- Audit event signing
  - How audit event signing works
  - Configure audit event signing
- Event hashing
- IT data signing
- Archive signing
Data Management
- Splunk data management
  - Index management
  - Configuration files for index management
- Create an index
- Remove (delete) data
- Export event data
  - via the CLI
  - via Splunk Web
- Move an index
  - Configuration
- Set a retirement and archiving policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restore archived data
  - Restore with resurrect
  - Restore a copied index archive
- Back up your data
  - Back up your Splunk configurations only
  - Back up your indexed data
- Disk usage
  - Set minimum free disk space
  - Set database size
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Configuration
Deployment Server
- How the deployment server works
- Configure a Splunk deployment server
  - Edit deployment.conf
  - Example
- Configure server classes
  - Configuration
  - Example
- Configure deployment clients
- Sync the server and client
  - Configuration changes
Performance Tuning
- Performance tuning Splunk
- Indexing performance
- Search performance
- Storage efficiency
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
Configuration Files
- How do configuration files work?
  - Configuration file directory structure
  - Configuration file precedence
- Configure application directories
  - Make an application directory
  - Best practice
- Configuration file list
Applications
- About applications
- About Splunk's application manager
  - View and manage applications
  - Browse SplunkBase
- Install Splunk applications
Reference
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- Splunk log files
  - Internal logs
  - debug
  - log.cfg
- Work with metrics.log
  - Use metrics.log to troubleshoot issues with data inputs
- Log file rotation
  - How log rotation works
- Determine what files Splunk is monitoring
  - Run listtails
- Index SNMP events with Splunk
- log4j
- Strip syslog headers before processing
  - Configuration
  - Example
- alert_actions.conf
  - alert_actions.conf.spec
  - alert_actions.conf.example
- app.conf
  - app.conf.spec
  - app.conf.example
- audit.conf
  - audit.conf.spec
  - audit.conf.example
- authentication.conf
  - authentication.conf.spec
  - authentication.conf.example
- authorize.conf
  - authorize.conf.spec
  - authorize.conf.example
- commands.conf
  - commands.conf.spec
  - commands.conf.example
- crawl.conf
  - crawl.conf.example
  - crawl.conf.spec
- decorations.conf
  - decorations.conf.spec
  - decorations.conf.example
- deployment.conf
  - deployment.conf.spec
  - deployment.conf.example
- distsearch.conf
  - distsearch.conf.spec
  - distsearch.conf.example
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
  - eventdiscoverer.conf.example
- eventtypes.conf
  - eventtypes.conf.spec
  - eventtypes.conf.example
- field_actions.conf
  - field_actions.conf.spec
  - field_actions.conf.example
- fields.conf
  - fields.conf.spec
  - fields.conf.example
- indexes.conf
  - indexes.conf.spec
  - indexes.conf.example
- inputs.conf
  - inputs.conf.spec
  - inputs.conf.example
- limits.conf
  - limits.conf.spec
  - limits.conf.example
- literals.conf
  - literals.conf.example
- multikv.conf
  - multikv.conf.spec
  - multikv.conf.example
- outputs.conf
  - outputs.conf.spec
  - outputs.conf.example
- prefs.conf
  - prefs.conf.spec
  - prefs.conf.example
- props.conf
  - props.conf.example
  - props.conf.spec
- props.conf (cont)
  - props.conf.spec, continued
- regmon-filters.conf
  - regmon-filters.conf.spec
  - regmon-filters.conf.example
- restmap.conf
  - restmap.conf.spec
  - restmap.conf.example
- savedsearches.conf
  - savedsearches.conf.spec
  - savedsearches.conf.example
- segmenters.conf
  - segmenters.conf.example
  - segmenters.conf.spec
- server.conf
  - server.conf.example
  - server.conf.spec
- source-classifier.conf
  - source-classifier.conf.example
  - source-classifier.conf.spec
- sourcetypes.conf
  - sourcetypes.conf.example
  - sourcetypes.conf.spec
- streams.conf
  - streams.conf.example
  - streams.conf.spec
- strings.conf
  - strings.conf.example
  - strings.conf.spec
- sysmon.conf
  - sysmon.conf.example
  - sysmon.conf.spec
- tags.conf
  - tags.conf.example
  - tags.conf.spec
- transactiontypes.conf
  - transactiontypes.conf.spec
  - transactiontypes.conf.example
- transforms.conf
  - transforms.conf.spec
  - transforms.conf.example
- user-seed.conf
  - user-seed.conf.example
  - user-seed.conf.spec
- web.conf
  - web.conf.example
  - web.conf.spec
- wmi.conf
  - wmi.conf.example
  - wmi.conf.spec
Troubleshooting
- Contact Support
- Splunkd is down
  - Splunkd may need a few more seconds to come up
  - Your license file contains line-breaks or other hidden characters
- License issues
- Anonymize data samples
  - Simple method
  - Advanced method
- Unable to get a properly formatted response from the server
- Command line tools
  - cmd
  - btool
  - classify
  - gzdumper
  - listtails
  - locktest
  - locktool
  - parsetest
  - pcregextest
  - regextest
  - searchtest
  - signtool
  - tsidxprobe

This page last updated: 05/14/08 11:05pm

Determine what files Splunk is monitoring

When you configure inputs, you may want to know what specific files Splunk is monitoring prior to starting Splunk for indexing. This is especially true when configuring whitelisting/blacklisting rules. Splunk includes a listtails utility which reads in the configuration of inputs.conf in all applications, scans your directories and shows you the exact list of files what Splunk will monitor when you restart. This allows you to make changes to inputs.conf and verify if the blacklist/whitelist filtering is correct.

Run listtails

To use the listtails utility:
1. Navigate to $SPLUNK_HOME/bin/.
2. Run the command ./splunk cmd listtails.

Previous: Log file rotation | Next: Index SNMP events with Splunk

Comments

No comments have been submitted.

Log in to comment.