Splunk.com | SplunkBase | Support

Documentation: 3.3

| Print Version Contents

How Splunk Works
- Overview of Splunk
Getting Started
- Start Splunk
- Administration basics
- Change defaults
- Find and index data
- Add more users
  - Splunk local users
- Start searching
Data Inputs
- How input configuration works
- Configure inputs via Splunk Web
  - Configuration
- Configure inputs via the CLI
  - Data input commands
  - Data input types
- Configure inputs via inputs.conf
- Configure inputs for Windows
  - Configure indexing for Windows event logs
  - Configure Windows registry monitoring input
- WMI input
- Windows registry input
- Configure crawl
  - Configuration
  - Example
- Scripted inputs
  - Configuration
  - Example
- Configure whitelist and blacklist rules
- Log file rotation
  - How log rotation works
- Strip syslog headers before processing
  - Configuration
  - Example
- Determine what files Splunk is monitoring
  - Run listtails
- Index SNMP events with Splunk
- log4j
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Configure target groups in outputs.conf
  - Configuration
  - Example
- Set up routing
- Route specific events to different queues
- Route specific events to an alternate index
  - Configuration
  - Example
- Set up SSL
  - Forwarder
  - Receiver
- Enable cloning
- Set up data balancing
  - Configuration
  - Example
- Route data to third-party systems
  - Configuration
  - Example
Indexing
- How indexing works
  - How events work
  - How segmentation works
- Index multi-line events
  - Configuration
  - Examples
- Configure segmentation
  - Splunk Web segmentation
- Configure custom segmentation for a host, source, or source type
  - via props.conf
  - Example
- Mask sensitive data in an event
  - Configuration
- Configure character set encoding
- Dynamic metadata assignment
  - Configuration
  - Set values with a script
Timestamps
- How timestamp extraction works
  - Precedence rules for timestamp assignment
  - Configure timestamps
- Configure timestamp extraction
- Configure timezone offsets
- Configure European date formats
  - Configure European date format in literals.conf
  - Use the timeformat modifier
- Configure positional timestamp extraction
  - Configure positional timestamp extraction in props.conf
- Tune timestamp extraction for better indexing performance
  - Adjust timestamp lookahead
  - Turn off the timestamp processor
- Train Splunk to recognize a timestamp
Fields
- How fields work
- Create indexed fields via configuration files
  - Configuration
  - Example
- Create extracted fields via configuration files
- Create extracted fields via Splunk Web
- Field actions
  - Configuration
  - Example
- Configure fields.conf
  - Configuration
- Configure multi-value fields
  - Configure multi-value fields via fields.conf
  - Example
- Configure tags
  - Configure tags vis tags.conf
  - Examples
- Automatic header-based field extraction
Hosts
- How host works
- Set default host for a Splunk server
  - via Splunk Web
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via Splunk Web
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
Source Types
- How source types work
- Rule-based association of source types
  - Configuration
  - Examples
- Set source type for an input
  - via Splunk Web
  - via configuration files
- Set source type for a source
  - via configuration files
- Train Splunk to recognize a source type
  - via the CLI
- Source type settings in props.conf
- Configure a source type alias
Event Types
- How event types work
- Save event types via Splunk Web
  - Configuration
- Configure eventtypes.conf
- Tag event types
  - Configuration
- Event type discovery
  - Configure event types
- Event type templates
  - Configuration
  - Example
- Dynamic event rendering
Transaction Types
- How transaction types work
  - Define transactions
  - Sample use cases
- Transaction types via configuration files
  - Configuration
  - Example
- Transaction search
  - Transactions and macro search
Search
- How search works
- Set up saved searches
  - via Splunk Web
- Set up saved searches via savedsearches.conf
  - Configuration
  - Example
- Set up alerts via Splunk Web
  - Set up an alert
  - Specify which fields to show
- Set up alerts via savedsearches.conf
- Customize alert options
  - Email options
  - Additional alert customizations
- Create a form search
- Macro searches
  - Configure a macro search
- Configure summary indexing
  - Summary indexing and license volume
  - Manually configure summary indexing
- Live tail
- Send syslog events
  - Configuration
  - Example
- Send SNMP traps
  - Configuration
  - Configure your alert to call a shell script
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via Splunk Web
- Enable distributed search via the CLI
  - Configuration
- Configure distributed search via distsearch.conf
  - Configuration
  - Example
- Exclude specific Splunk servers from distributed searches
Security
- Security options
  - Authentication
  - Audit
- Enable HTTPS
  - Configuration
  - Certificates
- SSL
  - Configuration
- Configure roles
  - Configuration
  - Example
- Set up LDAP
- Scripted authentication
- File system change monitor
  - How the file system change monitor works
  - Configure the file system change monitor
- Audit events
- Audit event signing
  - How audit event signing works
  - Configure audit event signing
- Event hashing
- IT data signing
- Archive signing
Data Management
- Splunk data management
  - Index management
  - Configuration files for index management
- Create an index
- Remove (delete) data
- Move an index
  - Configuration
- Set a retirement and archiving policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restore archived data
  - Restore with resurrect
  - Restore a copied index archive
- Export event data
  - via the CLI
  - via Splunk Web
- Disk usage
  - Set minimum free disk space
  - Set database size
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Configuration
Deployment Server
- How the deployment server works
  - Communication between deployment server and client
  - Configuration files for deployment server
- Configure a Splunk Deployment Server
  - Configuration
  - Example
- Configure server classes
  - Configuration
  - Example
- Configure deployment clients
- Sync the server and client
  - Configuration changes
Performance Tuning
- Performance tuning Splunk
- Indexing performance
- Search performance
- Storage efficiency
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
- Splunk backup options
  - Back up configurations
  - Back up your entire installation
Configuration Files
- How do configuration files work?
  - Configuration file directory structure
  - Configuration file precedence
- Configure application directories
  - Make an application directory
  - Best practice
- Configuration file list
Applications
- About applications
- Install Splunk applications
Reference
- Splunk log files
  - Internal logs
  - debug
  - log.cfg
- Work with metrics.log
  - Use metrics.log to troubleshoot issues with data inputs
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- alert_actions.conf
  - alert_actions.conf.spec
  - alert_actions.conf.example
- app.conf
  - app.conf.spec
  - app.conf.example
- audit.conf
  - audit.conf.spec
  - audit.conf.example
- authentication.conf
  - authentication.conf.spec
  - authentication.conf.example
- authorize.conf
  - authorize.conf.spec
  - authorize.conf.example
- commands.conf
  - commands.conf.spec
  - commands.conf.example
- crawl.conf
  - crawl.conf.example
  - crawl.conf.spec
- decorations.conf
  - decorations.conf.spec
  - decorations.conf.example
- deployment.conf
  - deployment.conf.spec
  - deployment.conf.example
- distsearch.conf
  - distsearch.conf.spec
  - distsearch.conf.example
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
  - eventdiscoverer.conf.example
- eventtypes.conf
  - eventtypes.conf.spec
  - eventtypes.conf.example
- field_actions.conf
  - field_actions.conf.spec
  - field_actions.conf.example
- fields.conf
  - fields.conf.spec
  - fields.conf.example
- indexes.conf
  - indexes.conf.spec
  - indexes.conf.example
- inputs.conf
  - inputs.conf.spec
  - inputs.conf.example
- limits.conf
  - limits.conf.spec
  - limits.conf.example
- literals.conf
  - literals.conf.example
- multikv.conf
  - multikv.conf.spec
  - multikv.conf.example
- outputs.conf
  - outputs.conf.spec
  - outputs.conf.example
- prefs.conf
  - prefs.conf.spec
  - prefs.conf.example
- props.conf
  - props.conf.example
  - props.conf.spec
- props.conf (cont)
  - props.conf.spec, continued
- regmon-filters.conf
  - regmon-filters.conf.spec
  - regmon-filters.conf.example
- restmap.conf
  - restmap.conf.example
  - restmap.conf.spec
- savedsearches.conf
  - savedsearches.conf.example
  - savedsearches.conf.spec
- segmenters.conf
  - segmenters.conf.example
  - segmenters.conf.spec
- server.conf
  - server.conf.example
  - server.conf.spec
- source-classifier.conf
  - source-classifier.conf.example
  - source-classifier.conf.spec
- sourcetypes.conf
  - sourcetypes.conf.example
  - sourcetypes.conf.spec
- streams.conf
  - streams.conf.example
  - streams.conf.spec
- strings.conf
  - strings.conf.example
  - strings.conf.spec
- sysmon.conf
  - sysmon.conf.example
  - sysmon.conf.spec
- tags.conf
  - tags.conf.spec
  - tags.conf.spec
- transactiontypes.conf
  - transactiontypes.conf.example
  - transactiontypes.conf.spec
- transforms.conf
  - transforms.conf.example
  - transforms.conf.spec
- user-seed.conf
  - user-seed.conf.example
  - user-seed.conf.spec
- web.conf
  - web.conf.example
  - web.conf.spec
- wmi.conf
  - wmi.conf.example
  - wmi.conf.spec
Troubleshooting
- Contact Support
- Splunkd is down
  - Splunkd may need a few more seconds to come up
  - Your license file contains line-breaks or other hidden characters
- License issues
- Anonymize data samples
  - Simple method
  - Advanced method
- Unable to get a properly formatted response from the server
- Command line tools
  - btool
  - classify
  - exporttool
  - gzdumper
  - listtails
  - locktest
  - locktool
  - parsetest
  - pcregextest
  - regextest
  - searchtest
  - signtool
  - tsidxprobe

This page last updated: 09/02/08 11:09am

Enable HTTPS

You can enable HTTPS via Splunk Web or web.conf.

Note: Your Splunk server can listen on either HTTP or HTTPS. It cannot listen on both.

You can also enable SSL through separate configurations.

Important: If you are using Firefox 3, enabling SSL for a Splunk deployment may result in an "invalid security exception" being displayed in the browser. Refer to this workaround documentation for more information.

Configuration

In Splunk Web

To enable HTTPS in Splunk Web, click the Admin link in the upper right hand corner. Then, click Server and choose View Settings. Under Web interface, change the radio button to Yes for Enable SSL (HTTPS) in Splunk Web?

Note: You must restart Splunk to enable the new settings. Also, you must now append "https://" to the URI you use to access Splunk Web.

In web.conf

In order to enable HTTPS, modify web.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

[settings]
httpport = <port number>
enableSplunkWebSSL = true

httpport
- Set the port number to your HTTPS port.

enableSplunkWebSSL
- Set this key to true to enable SSL for Splunk Web.

Once you have made the changes to web.conf restart your Splunk server to read the new changes in.

Certificates

The certificates used for SSL between Splunk Web and the client browser is located in $SPLUNK_HOME/share/splunk/certs/. You can replace the self-signed default certificate with your own.

The certificates for SSL are specified in web.conf. You can change the defaults to your own certificate names.

privKeyPath = /certs/privkey.pem
caCertPath = /certs/cert.pem

Restart Splunk Web from the CLI for your changes to take effect. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.

./splunk restart splunkweb

If your self-signed certificate for Splunk Web expires, you can generate a new one by deleting cert.pem and privkey.pem in $SPLUNK_HOME/share/splunk/certs/.

Previous: Security options | Next: SSL

Comments

the files do not actually need to keep the same names, as long as you specify the correct names in web.conf. i have updated the documentation to reflect this. if you still have issues, please let us know. thanks!
Posted by emma on Sep 02 2008, 12:10pm
When replacing the certificates , the pem encoded files need to keep the same names - cert.pem and privkey.pem.

Also if a passphrase was specified when the private key was generated it will need to be manually entered whenever splunkweb is restarted. Workaround would be to remove the passphrase from the key and have it only readable by root.
Posted by briang67 on Jul 07 2008, 9:58am

Log in to comment.