• How Splunk Works
  • Overview of Splunk
    • Configuration options
    • Installation and upgrade
    • Data inputs
    • Indexing
    • Fields
    • Search
    • Security
    • Data management
    • Deployment server
    • Performance tuning
    • Configuration files
    • Applications
    • Customization
    • Troubleshooting
• Getting Started
  • Start Splunk
    • Before you start
    • Start Splunk on non-Windows platforms
    • Start Splunk on Windows
    • Load Splunk Web in your browser
  • Administration basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Add Data
    • Monitor a file
    • Crawl for inputs
  • Add more users
    • Splunk local users
  • Start searching
• Data Inputs
  • How input configuration works
    • Files and directories
    • Network ports
    • Scripted inputs
    • Indexing properties
  • Configure inputs via Splunk Web
    • Configuration
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
  • Configure inputs via inputs.conf
    • Configuration
    • Global settings
    • Input types
    • Examples
  • Configure inputs for Windows
    • Configure indexing for Windows event logs
    • Configure Windows registry monitoring input
  • WMI input
    • Security and remote access considerations
    • Configure WMI input
    • Source and source type for WMI data
  • Windows registry input
    • How it works
    • Get a baseline snapshot
    • What to consider
    • Configure Windows registry input
  • Configure crawl
    • Configuration
    • Example
  • Scripted inputs
    • Configuration
    • Example
  • Configure whitelist and blacklist rules
    • Whitelist (allow) files
    • Blacklist (ignore) files
    • Verify your lists
  • Log file rotation
    • How log rotation works
  • Strip syslog headers before processing
    • Configuration
    • Example
  • Determine what files Splunk is monitoring
    • Run listtails
  • Index SNMP events with Splunk
  • log4j
• Data Distribution
  • How data distribution works
    • Forwarding
    • Routing
    • Cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lightweight forwarding
  • Configure target groups in outputs.conf
    • Configuration
    • Example
  • Set up routing
    • Configuration
    • Basic example
    • Advanced example
  • Route specific events to different queues
    • Configuration
    • Example: Send matching events to nullQueue
    • Example: Send matching events to indexQueue, everything else to nullQueue
  • Route specific events to an alternate index
    • Configuration
    • Example
  • Set up SSL
    • Forwarder
    • Receiver
  • Enable cloning
  • Set up data balancing
    • Configuration
    • Example
  • Route data to third-party systems
    • Configuration
    • Example
• Indexing
  • How indexing works
    • How events work
    • How segmentation works
  • Index multi-line events
    • Configuration
    • Examples
  • Configure segmentation
    • Splunk Web segmentation
  • Configure custom segmentation for a host, source, or source type
    • via props.conf
    • Example
  • Mask sensitive data in an event
    • Configuration
  • Configure character set encoding
    • Supported character sets
    • Manually specify a character set
    • Automatically specify a character set
    • If Splunk doesn't recognize a character set
  • Dynamic metadata assignment
    • Configuration
    • Set values with a script
• Timestamps
  • How timestamp extraction works
    • Precedence rules for timestamp assignment
    • Configure timestamps
  • Configure timestamp extraction
    • Configure timestamp extraction in props.conf
    • Enhanced strptime() support
    • Examples
  • Configure timezone offsets
    • Configure timezone offsets in props.conf
    • zoneinfo (TZ) database
    • Configure timezone offsets for Splunk versions before 3.2
  • Configure European date formats
    • Configure European date format in literals.conf
    • Use the timeformat modifier
  • Configure positional timestamp extraction
    • Configure positional timestamp extraction in props.conf
  • Tune timestamp extraction for better indexing performance
    • Adjust timestamp lookahead
    • Turn off the timestamp processor
  • Train Splunk to recognize a timestamp
    • Steps to configure timestamps with train dates
    • Run the train dates command
    • Create a custom datetime.xml
    • Edit your local props.conf
• Fields
  • How fields work
    • Indexed vs. extracted fields
    • Configure fields
    • Disable automatically extracted fields
    • Configuration files for fields
  • Create indexed fields via configuration files
    • Configuration
    • Example
  • Create extracted fields via configuration files
    • Configuration
    • Example
    • Extract fields from multi-line events
  • Create extracted fields via Splunk Web
  • Field actions
    • Configuration
    • Example
  • Configure fields.conf
    • Configuration
  • Configure multi-value fields
    • Configure multi-value fields via fields.conf
    • Example
  • Configure tags
    • Configure tags vis tags.conf
    • Examples
  • Automatic header-based field extraction
    • How automatic header-based field extraction works
    • Configure automatic header-based field extraction
    • Note about search and header-based field extraction
    • Examples
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via Splunk Web
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via Splunk Web
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Source vs source type
    • How Splunk can set sourcetype field values
    • How Splunk applies source type values (precedence)
    • Configuration files for source types
  • Rule-based association of source types
    • Configuration
    • Examples
  • Set source type for an input
    • via Splunk Web
    • via configuration files
  • Set source type for a source
    • via configuration files
  • Train Splunk to recognize a source type
    • via the CLI
  • Source type settings in props.conf
  • Configure a source type alias
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Event type discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Save event types via Splunk Web
    • Configuration
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Tag event types
    • Configuration
  • Event type discovery
    • Configure event types
  • Event type templates
    • Configuration
    • Example
  • Dynamic event rendering
    • How dynamic event rendering works
    • Configure dynamic event rendering
    • Example
• Transaction Types
  • How transaction types work
    • Define transactions
    • Sample use cases
  • Transaction types via configuration files
    • Configuration
    • Example
  • Transaction search
    • Transactions and macro search
• Search
  • How search works
    • Saved searches
    • Alerting
    • Live tail
    • Summary indexing
  • Set up saved searches
    • via Splunk Web
  • Set up saved searches via savedsearches.conf
    • Configuration
    • Example
  • Set up alerts via Splunk Web
    • Set up an alert
    • Specify which fields to show
  • Set up alerts via savedsearches.conf
    • alerting options
    • display options
    • Script options
    • Example
  • Customize alert options
    • Email options
    • Additional alert customizations
  • Create a form search
    • Form searches with fields
    • Form searches with predefined values
    • Share your form search
  • Macro searches
    • Configure a macro search
  • Configure summary indexing
    • Summary indexing and license volume
    • Manually configure summary indexing
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the Splunk CLI
    • Current limitations
  • Send syslog events
    • Configuration
    • Example
  • Send SNMP traps
    • Configuration
    • Configure your alert to call a shell script
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via Splunk Web
  • Enable distributed search via the CLI
    • Configuration
  • Configure distributed search via distsearch.conf
    • Configuration
    • Example
  • Exclude specific Splunk servers from distributed searches
• Security
  • Security options
    • Authentication
    • Audit
  • Enable HTTPS
    • Configuration
    • Certificates
  • SSL
    • Configuration
  • Configure roles
    • Configuration
    • Example
  • Set up LDAP
    • Configure LDAP
    • Example
    • Known issues with LDAP
  • Scripted authentication
    • Known issues with scripted auth
    • Configuration
    • Script commands
  • File system change monitor
    • How the file system change monitor works
    • Configure the file system change monitor
  • Audit events
    • Audit event composition
    • Audit event generation
    • Audit event storage
    • Audit event processing
    • Search for audit events
  • Audit event signing
    • How audit event signing works
    • Configure audit event signing
  • Event hashing
    • How event hashing works
    • Event hashing in search results
    • Configure custom decorations for Splunk Web
    • Configure event hashing
    • Configure filtering
  • IT data signing
    • How IT data signatures work
    • Configure IT data signing
    • View the integrity of IT data
    • Performance implications
  • Archive signing
    • How archive signing works
    • Verify archived data signatures
    • Configure coldToFrozen scripts
    • Sign or verify your data slices
• Data Management
  • Splunk data management
    • Index management
    • Configuration files for index management
  • Create an index
    • via Splunk Web
    • via Splunk's CLI
    • via indexes.conf
    • Delete an index
  • Remove (delete) data
    • Remove event data from an index
    • Remove global data
    • Remove user data
    • Remove all data
    • Remove events from search results
  • Move an index
    • Configuration
  • Set a retirement and archiving policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restore archived data
    • Restore with resurrect
    • Restore a copied index archive
  • Export event data
    • via the CLI
    • via Splunk Web
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Configuration
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Configuration
    • Example
  • Configure server classes
    • Configuration
    • Example
  • Configure deployment clients
    • Enable/disable clients via the CLI
    • Enable clients via deployment.conf
    • Example
  • Sync the server and client
    • Configuration changes
• Performance Tuning
  • Performance tuning Splunk
    • Hardware considerations
    • Increase indexing performance
    • Increase search speed
    • Improve storage efficiency
    • Reduce the CPU and memory footprint
    • Utilize multiple CPUs
    • 64-bit operating systems
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • indexes.conf
    • props.conf
    • web.conf
    • fields.conf
    • Configure Splunk Web
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Splunk backup options
    • Back up configurations
    • Back up your entire installation
• Configuration Files
  • How do configuration files work?
    • Configuration file directory structure
    • Configuration file precedence
  • Configure application directories
    • Make an application directory
    • Best practice
  • Configuration file list
• Applications
  • About applications
    • What are applications?
    • Where do they fit into Splunk?
    • Where can you find them?
    • How do you install them?
  • Install Splunk applications
    • via Splunk's App Manager
    • after download from SplunkBase
    • on an isolated network or machine
• Reference
  • Splunk log files
    • Internal logs
    • debug
    • log.cfg
  • Work with metrics.log
    • Use metrics.log to troubleshoot issues with data inputs
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • alert_actions.conf
    • alert_actions.conf.spec
    • alert_actions.conf.example
  • app.conf
    • app.conf.spec
    • app.conf.example
  • audit.conf
    • audit.conf.spec
    • audit.conf.example
  • authentication.conf
    • authentication.conf.spec
    • authentication.conf.example
  • authorize.conf
    • authorize.conf.spec
    • authorize.conf.example
  • commands.conf
    • commands.conf.spec
    • commands.conf.example
  • crawl.conf
    • crawl.conf.example
    • crawl.conf.spec
  • decorations.conf
    • decorations.conf.spec
    • decorations.conf.example
  • deployment.conf
    • deployment.conf.spec
    • deployment.conf.example
  • distsearch.conf
    • distsearch.conf.spec
    • distsearch.conf.example
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
    • eventdiscoverer.conf.example
  • eventtypes.conf
    • eventtypes.conf.spec
    • eventtypes.conf.example
  • field_actions.conf
    • field_actions.conf.spec
    • field_actions.conf.example
  • fields.conf
    • fields.conf.spec
    • fields.conf.example
  • indexes.conf
    • indexes.conf.spec
    • indexes.conf.example
  • inputs.conf
    • inputs.conf.spec
    • inputs.conf.example
  • limits.conf
    • limits.conf.spec
    • limits.conf.example
  • literals.conf
    • literals.conf.example
  • multikv.conf
    • multikv.conf.spec
    • multikv.conf.example
  • outputs.conf
    • outputs.conf.spec
    • outputs.conf.example
  • prefs.conf
    • prefs.conf.spec
    • prefs.conf.example
  • props.conf
    • props.conf.example
    • props.conf.spec
  • props.conf (cont)
    • props.conf.spec, continued
  • regmon-filters.conf
    • regmon-filters.conf.spec
    • regmon-filters.conf.example
  • restmap.conf
    • restmap.conf.example
    • restmap.conf.spec
  • savedsearches.conf
    • savedsearches.conf.example
    • savedsearches.conf.spec
  • segmenters.conf
    • segmenters.conf.example
    • segmenters.conf.spec
  • server.conf
    • server.conf.example
    • server.conf.spec
  • source-classifier.conf
    • source-classifier.conf.example
    • source-classifier.conf.spec
  • sourcetypes.conf
    • sourcetypes.conf.example
    • sourcetypes.conf.spec
  • streams.conf
    • streams.conf.example
    • streams.conf.spec
  • strings.conf
    • strings.conf.example
    • strings.conf.spec
  • sysmon.conf
    • sysmon.conf.example
    • sysmon.conf.spec
  • tags.conf
    • tags.conf.spec
    • tags.conf.spec
  • transactiontypes.conf
    • transactiontypes.conf.example
    • transactiontypes.conf.spec
  • transforms.conf
    • transforms.conf.example
    • transforms.conf.spec
  • user-seed.conf
    • user-seed.conf.example
    • user-seed.conf.spec
  • web.conf
    • web.conf.example
    • web.conf.spec
  • wmi.conf
    • wmi.conf.example
    • wmi.conf.spec
• Troubleshooting
  • Contact Support
    • infoGather
    • Log levels and starting in debug mode
    • Debug Splunk Web
    • Core Files
    • LDAP configurations
  • Splunkd is down
    • Splunkd may need a few more seconds to come up
    • Your license file contains line-breaks or other hidden characters
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • I installed my license in a Preview release and now it doesn't work!
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Unable to get a properly formatted response from the server
  • Command line tools
    • btool
    • classify
    • exporttool
    • gzdumper
    • listtails
    • locktest
    • locktool
    • parsetest
    • pcregextest
    • regextest
    • searchtest
    • signtool
    • tsidxprobe

Overview of Splunk

Splunk is search software for any type of data. Learn more about how Splunk works by reading through this introductory page. You'll find many links here for installing, configuring and customizing your Splunk installation.

Configuration options

Splunk has several options for configuration: a web interface (known as Splunk Web), a command line interface (known as the CLI) and its configuration files. Most of Splunk's configuration can be accomplished by using the Admin page of Splunk Web, and the CLI. Configure advanced settings through configuration files.

Installation and upgrade

Installing Splunk is easy and fast. These instructions show you how to install, upgrade, or back up an existing copy of Splunk.

• Installation
  • Installation instructions for all supported platforms are found in the Installation Manual
  • On *nix platforms, use a tarball or RPM file.
  • On Mac, use a tarball or DMG file.
  • On Windows, download the .exe file and install. Instructions for Windows installation are located here.
• Upgrade
  • There are a lot of new features available in 3.3. You may want to consider an upgrade if you are running an earlier version.
  • Upgrade instructions are here.

Important: It's a good idea to back up your current instance before you upgrade.

Data inputs

Splunk is capable of receiving data in a variety of ways. Configure your Splunk data inputs via:

• Add and configure inputs via the Admin page of Splunk Web.
• You can also use Splunk's CLI to configure inputs.
• Configure advanced input settings by using configuration files.
  • Use inputs.conf to configure advanced input settings.
• Use Splunk's crawl feature to search for new data inputs and files on your Splunk server.

Read on for a brief description of each input type.

• Monitor
  • Use monitor to stream live data into Splunk.
  • Monitor works for continuous inputs from files or directories.
• Upload
  • Upload a file directly to Splunk Web.
  • Files can be local to the workstation or on the Splunk server.
• Network ports
  • Splunk supports UDP and TCP connections.
  • Configure syslog on UDP 514.
  • Use TCP connections for log4j.
• Distributed
  • One Splunk Server can receive data from any number of other Splunk Servers via data distribution (description below).
  • This port is configurable, but defaults to 9998.
• Scripted inputs
  • Use scripted inputs to receive the outputs of command-line tools (such as vmstat, iostat, netstat, top, etc.) or other programs.
  • Learn more about scripted inputs.

Note: For a more in-depth description of inputs, read how input configuration works.

Windows

Splunk for Windows comes with its own set of configuration files for setting up Windows-specific inputs, including Windows registry and WMI. Read more about configuring Windows inputs.

Distributed data

Configure distributed inputs and outputs across your network. Send data between one Splunk instance and another, or third party software. For an overview on all the available configuration options, see How data distribution works.

• Forwarding and receiving
  • A Splunk Server in forwarding mode can send data to one or more Splunk instances.
  • Any Splunk Server can receive data from one or more Splunk instances.
  • Learn more about forwarding and receiving.

• 3rd party systems
  • Splunk can also forward raw data to any other system or software.
  • You can set up Splunk to send or receive data from 3rd party systems. Learn how.

Indexing

Splunk takes all data from inputs and sends it to an indexing pipeline. Data is then broken up into separate events via segmentation rules. Most data is segmented and timestamped correctly. However, you may wish to configure Splunk to index your data in particular ways. Learn more about how indexing works.

Here are some things you might want to consider:

• Configure event boundaries
• Configure segmentation
• Mask sensitive data
• Character set
• Timestamp recognition

Configuration for indexing is set mostly through props.conf and transforms.conf.

Fields

Fields are a useful aspect of Splunk's search interface. You can use Splunk's built-in fields that are enabled by default. Here's a list of Splunk's default fields, including links to more in-depth documentation:

• Source
  • The source field specifies the path to the original data input.
  • It is set automatically, but can be tagged.
• Host
  • Host is the label for the device that originated the event.
  • Read more about host.
• Source type
  • A source type refers to any common format of data produced by a group of sources, such as weblogic or syslog.
  • Learn more about source types.
• Event types
  • Event types are groups of common events.
  • Learn more about event types.

You can also create your own fields. Custom fields are useful for:

• Customizing searches (see below for search options).
• Creating field actions.
• Enabling event type templates.

To learn more about creating custom fields, see how fields work.

Search

Splunk's search interface is useful for tracking down different aspects of your data. Here are a few things you can do with your searches:

• Search commands.
  • Splunk has a powerful search language.
  • Craft simple to sophisticated searches.
• Save searches.
  • Any search can be saved and run at any time.
  • Save searches with variables to fill in at search time, including:
    • Form search.
    • Macro search.
• LiveTail
  • Run a search to watch data as it's indexed.
  • Read more about Live Tail.
• Alerts
  • Schedule Splunk to send search results via email or RSS.
• Summary indexing
  • Save the output of any search to a special index.
• Transactions
  • Search for transactions that occur across events, such as email threads, store purchases

For a more detailed overview of search, see how search works.

Distributed search

In a distributed set up, you may want to search across multiple instances of Splunk. Enable distributed search to federate searches across your entire Splunk deployment. Read more about how distributed search works.

Security

Secure your Splunk server with the following security configuration options. Here's a brief overview of the available features. For a more detailed overview, see security options.

Authentication

Splunk includes several authentication options, including:

• Roles, which allow you to set up:
  • User roles capabilities.
  • User-based access controls.
• LDAP
  • Set up LDAP.
• SSL
  • Enable HTTPS.
  • Or SSL for Splunk's back-end.

Audit

Use the following options to enable separate auditing configurations:

• File system monitor
  • The file system change monitor watches any designated file system and sends an event if files or directories are affected in any way.
  • By default, Splunk monitors its own $SPLUNK_HOME/etc/ directory for configuration changes.
• Audit events
  • Events generated by the file system change monitor as well as user activity within Splunk.
  • Audit events are stored in a separate index, _audit.
• Audit event signing
  • Set up cryptographic signing for audit events.
• IT data signing
  • Enable cryptographic signing for all your events as they enter Splunk.
• Archive signing
  • Sign your data as it is archived.
• Event decorations
  • Mark your audit events with icons so they're more noticeable.

Data management

Splunk servers often index large amounts of data each day. You may want to enable advanced settings to handle the following data management scenarios.

• Index management, including:
  • Add or remove an index.
  • Delete data from the index.
  • Move an index.

• Data archiving, including:
  • Set retirement policy.
  • Automate archiving.
  • Restore archived data.
  • Export event data.

• Storage options:
  • Disk usage.
  • Use separate partitions for Splunk's data store.
  • Use WORM (Write Once Read Many) volumes for Splunk's data store.

Note: Many data management settings are enabled on a per-index basis, using indexes.conf. To learn more about indexes, see how indexes work.

Deployment server

In a distributed set up, enable one or more Splunk instances as deployment servers. A deployment server pushes out configuration changes to other Splunk instances.

For a complete overview of all deployment options, read the Deployment manual. For instructions on configuring and enabling the deployment server and clients, read the Admin manual section on the deployment server.

Performance tuning

The following options help you tune Splunk's performance for your environment. Depending on your system and requirements, you may want to change one or more of the following settings:

• Indexing
  • Change various configurations to speed up Splunk's intake of data.
• Search
  • Settings for faster return of search results.
• Storage efficiency
  • Cut down on the space of your Splunk index.
• CPU and memory footprint
  • Tune Splunk's CPU usage and memory settings.
• Backup
  • Back up your Splunk install.
  • Note: It is a good idea to backup Splunk before performing any migrations or upgrades.

A more in-depth overview of performance tuning options is available here.

Configuration files

Many of Splunk's advanced configurations and customizations are available only through configuration files. Create configurations by copying files into a custom application directory. Learn more about application directories and configuring application directories.

Applications

Applications are directories of configuration files with specific purposes. Configure your own applications by following these instructions.

You can also share your configuration file directories as applications with the Splunk community on SplunkBase.

Customization

Pimp your Splunk! Everybody's data is a little bit different. Maybe you want to set custom configurations for the system you're running Splunk on. Here are options for personalizing your Splunk instance.

Splunk Web appearance

Change various aspects of Splunk Web's appearance:

• Dashboards
  • Configure user settings and dashboards via prefs.conf.
• Decorations
  • Set icons for event types with dynamic event rendering.
• Literals
  • Change the externalized strings in Splunk Web via literals.conf.
• Skinning
  • Change the way your web interface looks.
  • Read the Developer's Guide for help with skinning Splunk.

Extend Splunk

Splunk includes a REST API. Read the Developer's Guide to learn more about the REST API. To configure additional REST endpoints, use restmap.conf.

Troubleshooting

If there's something you need help with, even after reading the documentation, contact Splunk support.

If there's a feature you don't see here that you want included, file an enhancement request with Splunk support.

We're always interested in your feedback.

• Splunk support.
• Splunk forums.