Splunk.com | SplunkBase | Support

Documentation: 3.3

| Print Version Contents

How Splunk Works
- Overview of Splunk
Getting Started
- Start Splunk
- Administration basics
- Change defaults
- Find and index data
  - Monitor a file
  - Crawl for inputs
- Add more users
  - Splunk local users
  - Examples
- Start searching
Data Inputs
- How input configuration works
- Files and directories
- FIFO
- Network ports
- Scripted inputs
  - Configuration
  - Example
- Whitelist and blacklist rules
- Crawl
  - Configuration
  - Example
- Windows inputs
  - Configure indexing for Windows event logs
  - Configure Windows registry monitoring input
- Windows Management Interface (WMI) input
- Windows registry input
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Configure target groups in outputs.conf
  - Configuration
  - Example
- Set up routing
- Route specific events to different queues
- Route specific events to an alternate index
  - Configuration
  - Example
- Set up SSL
  - Forwarder
  - Receiver
- Enable cloning
- Set up data balancing
  - Configuration
  - Example
- Route data to third-party systems
  - Configuration
  - Example
Indexing
- How indexing works
  - How events work
  - How segmentation works
- Index multi-line events
  - Configuration
  - Examples
- Configure segmentation
  - Splunk Web segmentation
- Configure custom segmentation for a host, source, or source type
  - via props.conf
  - Example
- Mask sensitive data in an event
  - Configuration
- Configure character set encoding
- Dynamic metadata assignment
  - Configuration
  - Set values with a script
Timestamps
- How Splunk extracts timestamps
  - Precedence rules for timestamp assignment
  - Configure timestamps
- Configure timestamp extraction
- Apply timezone offsets
- Recognize European date format
  - Configure European date format in literals.conf
  - Use the timeformat modifier
- Configure positional timestamp extraction
  - Configure positional timestamp extraction in props.conf
- Tune timestamp extraction for better indexing performance
  - Adjust timestamp lookahead
  - Turn off the timestamp processor
- Train Splunk to recognize a timestamp
Fields
- How fields work
- Create fields via Splunk Web
- Create fields via configuration files
  - Configuration
  - Examples
- Create indexed fields via configuration files
- Field actions
  - Configuration
  - Example
- Configure fields.conf
  - Configuration
- Configure multi-value fields
  - Configure multi-value fields via fields.conf
  - Example
- Configure tags
  - Configure tags with tags.conf files
  - Examples
- Automatic header-based field extraction
Hosts
- How host works
- Set default host for a Splunk server
  - via Splunk Web
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via Splunk Web
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
Source Types
- How source types work
- Rule-based association of source types
  - Configuration
  - Examples
- Set source type for an input
  - via Splunk Web
  - via configuration files
- Set source type for a source
  - via configuration files
- Train Splunk to recognize a source type
  - via the CLI
- Source type settings in props.conf
- Configure a source type alias
Event Types
- How event types work
- Save event types via Splunk Web
  - Configuration
- Configure eventtypes.conf
- Tag event types
  - Configuration
- Event type discovery
  - Configure event types
- Event type templates
  - Configuration
  - Example
- Dynamic event rendering
Transaction Types
- How transactions work
  - Transaction search
  - Configure transaction types
- Transaction types via configuration files
  - Configuration
- Transaction search
  - Search options
  - Transactions and macro search
Search
- How search works
- Set up saved searches via Splunk Web
  - Save your search
  - Schedule a saved search
- Set up saved searches via savedsearches.conf
  - Configuration
  - Example
- Customize alert options
  - Configuration
- Create a form search
- Macro searches
  - Configure a macro search
- Live tail
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via Splunk Web
- Enable distributed search via the CLI
  - Configuration
- Configure distributed search via distsearch.conf
  - Configuration
  - Example
- Exclude specific Splunk servers from distributed searches
Alerts
- How Alerts Work
- Set up alerts via Splunk Web
- Set up alerts via savedsearches.conf
- Scripted Alerts
  - Script options
  - Example
- Manually configure summary indexing
- Send SNMP traps
  - Configuration
  - Configure your alert to call a shell script
Security
- Security options
  - Authentication
  - Audit
- Enable HTTPS
  - Configuration
  - Certificates
- SSL
  - Configuration
- Configure roles
  - Configuration
  - Example
- Set up LDAP
- Scripted authentication
- File system change monitor
  - How the file system change monitor works
  - Configure the file system change monitor
- Audit events
- Audit event signing
  - How audit event signing works
  - Configure audit event signing
- Event hashing
- IT data signing
- Archive signing
Data Management
- Splunk data management
  - Index management
  - Configuration files for index management
- Create an index
- Remove (delete) data
- Export event data
  - via the CLI
  - via Splunk Web
- Move an index
  - Configuration
- Set a retirement and archiving policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restore archived data
  - Restore with resurrect
  - Restore a copied index archive
- Back up your data
  - Back up your Splunk configurations only
  - Back up your indexed data
- Disk usage
  - Set minimum free disk space
  - Set database size
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Configuration
Deployment Server
- How the deployment server works
- Configure a Splunk deployment server
  - Edit deployment.conf
  - Example
- Configure server classes
  - Configuration
  - Example
- Configure deployment clients
- Sync the server and client
  - Configuration changes
Performance Tuning
- Performance tuning Splunk
- Indexing performance
- Search performance
- Storage efficiency
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
Configuration Files
- How do configuration files work?
  - Configuration file directory structure
  - Configuration file precedence
- Configure application directories
  - Make an application directory
  - Best practice
- Configuration file list
Applications
- About applications
- Install Splunk applications
- About Splunk's application manager
  - View and manage applications
  - Browse SplunkBase
Reference
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- Splunk log files
  - Internal logs
  - debug
  - log.cfg
- Work with metrics.log
  - Use metrics.log to troubleshoot issues with data inputs
- Determine what files Splunk is monitoring
  - Run listtails
- Log file rotation
  - How log rotation works
- Index SNMP events with Splunk
- log4j
- Strip syslog headers before processing
  - Configuration
  - Example
- alert_actions.conf
  - alert_actions.conf.spec
  - alert_actions.conf.example
- app.conf
  - app.conf.spec
  - app.conf.example
- audit.conf
  - audit.conf.spec
  - audit.conf.example
- authentication.conf
  - authentication.conf.spec
  - authentication.conf.example
- authorize.conf
  - authorize.conf.spec
  - authorize.conf.example
- commands.conf
  - commands.conf.spec
  - commands.conf.example
- crawl.conf
  - crawl.conf.example
  - crawl.conf.spec
- decorations.conf
  - decorations.conf.spec
  - decorations.conf.example
- deployment.conf
  - deployment.conf.spec
  - deployment.conf.example
- distsearch.conf
  - distsearch.conf.spec
  - distsearch.conf.example
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
  - eventdiscoverer.conf.example
- eventtypes.conf
  - eventtypes.conf.spec
  - eventtypes.conf.example
- field_actions.conf
  - field_actions.conf.spec
  - field_actions.conf.example
- fields.conf
  - fields.conf.spec
  - fields.conf.example
- indexes.conf
  - indexes.conf.spec
  - indexes.conf.example
- inputs.conf
  - inputs.conf.spec
  - inputs.conf.example
- limits.conf
  - limits.conf.spec
  - limits.conf.example
- literals.conf
  - literals.conf.example
- multikv.conf
  - multikv.conf.spec
  - multikv.conf.example
- outputs.conf
  - outputs.conf.spec
  - outputs.conf.example
- prefs.conf
  - prefs.conf.spec
  - prefs.conf.example
- props.conf
  - props.conf.example
  - props.conf.spec
- props.conf (cont)
  - props.conf.spec, continued
- regmon-filters.conf
  - regmon-filters.conf.spec
  - regmon-filters.conf.example
- restmap.conf
  - restmap.conf.spec
  - restmap.conf.example
- savedsearches.conf
  - savedsearches.conf.spec
  - savedsearches.conf.example
- segmenters.conf
  - segmenters.conf.example
  - segmenters.conf.spec
- server.conf
  - server.conf.example
  - server.conf.spec
- source-classifier.conf
  - source-classifier.conf.example
  - source-classifier.conf.spec
- sourcetypes.conf
  - sourcetypes.conf.example
  - sourcetypes.conf.spec
- streams.conf
  - streams.conf.example
  - streams.conf.spec
- strings.conf
  - strings.conf.example
  - strings.conf.spec
- sysmon.conf
  - sysmon.conf.example
  - sysmon.conf.spec
- tags.conf
  - tags.conf.example
  - tags.conf.spec
- transactiontypes.conf
  - transactiontypes.conf.spec
  - transactiontypes.conf.example
- transforms.conf
  - transforms.conf.spec
  - transforms.conf.example
- user-seed.conf
  - user-seed.conf.example
  - user-seed.conf.spec
- web.conf
  - web.conf.example
  - web.conf.spec
- wmi.conf
  - wmi.conf.example
  - wmi.conf.spec
Troubleshooting
- Contact Support
- Splunkd is down
  - Splunkd may need a few more seconds to come up
  - Your license file contains line-breaks or other hidden characters
- License issues
- Anonymize data samples
  - Simple method
  - Advanced method
- Unable to get a properly formatted response from the server
- Command line tools
  - cmd
  - btool
  - classify
  - gzdumper
  - listtails
  - locktest
  - locktool
  - parsetest
  - pcregextest
  - regextest
  - searchtest
  - signtool
  - tsidxprobe

This page last updated: 06/26/08 01:06pm

Configure multi-value fields

Configure multi-value fields in fields.conf to tell Splunk how to recognize more than one field value in a single extracted field value. Edit fields.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Splunk parses multi-value fields at search time, and allows you to process the values in the search pipeline. Learn which search commands support multi-value fields).

Learn more about using multi-value fields.

Configure multi-value fields via fields.conf

Define a multi-value field by adding a stanza for it in $SPLUNK_HOME/etc/system/local/fields.conf. Tell Splunk how to parse values from a field value by defining a regular expression with the tokenizer key.

Note: If you have other attributes to set for a field, set them in the same stanza underneath tokenizer. See configure fields.conf for more information.

[<field name>]
tokenizer  = $REGEX

[<field name>]

Set this to the name of the field you've defined in props.conf and transforms.conf.
Add indexed or extracted fields.

tokenizer

Define a regular expression to tell Splunk how to parse the field into multiple values.

Example

The following examples from $SPLUNK_HOME/etc/system/README/fields.conf.example break email fields To, From and CC into mutliple values.

[To]
TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

[From]
TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

[Cc]
TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

Previous: Configure fields.conf | Next: Configure tags

Comments

No comments have been submitted.

Log in to comment.