• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Use Splunk Web
  • About Splunk Web
    • Dashboards
    • Preferences
    • Admin pages
  • Change Splunk Web preferences
    • Search
    • General
  • About Splunk server settings
    • View server settings
    • Control server
    • Configure authentication method
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
• Add inputs
  • About inputs
    • Files and directories
    • FIFO queues
    • Network ports
  • Use Data Inputs page
    • Access Data Inputs page
    • Run crawls
    • Add files and directories
    • Add FIFO queues
    • Add network ports
  • Use crawl
    • Run a crawl
    • Save a crawl
• Index
  • About indexes and indexing
    • Events, segments, and fields
    • Search and indexes
  • Manage your indexes
    • View and manage indexes
    • Edit index properties
  • Create new index
    • via Splunk Web
    • via the CLI
  • Delete an index
• Search
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Form search
    • Run a form search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
  • Macro search
    • Configure a macro search
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Tag
  • About tags
    • Search for events containing tags
    • Configure tags
    • Configure roles for tagging
  • Tag fields (including: event types, hosts, and sources)
    • Tag hosts or sources
    • Tag event types
  • Example: tagcreate and tagdelete
    • Create tags
    • Delete tags
  • Alias a source type
    • Add/edit a source type alias
• Report
  • Run reports
    • Report on results
    • Report on fields
    • Report using reporting commands
    • Choose different charts
    • Add a report to your dashboard
    • Summary indexing
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
  • Summary indexing
    • How summary indexing works
    • Configure summary indexing
    • Search commands useful to summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• Save, Schedule, and Alert
  • Save, schedule, and set alerts
    • Save a search
    • Schedule the search
    • Configure an alert
    • Enable summary indexing
  • Find and manage saved searches
    • Delete or modify saved searches
    • Display saved searches on dashboard
• Use the Splunk Command Line Interface (CLI)
  • The Splunk CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Asynchronous searches (dispatch CLI command)
    • CLI search parameters
  • Change default Splunk server settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Search reference
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • Fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Generate data
    • crawl
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transform and report
    • associate
    • chart
    • cluster
    • contingency
    • collect
    • correlate
    • diff
    • eventstats
    • format
    • highlight
    • makemv
    • mvcombine
    • mvexpand
    • nomv
    • overlap
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extract
    • addinfo
    • extract (kv)
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
  • Unsupported search commands
    • createrss
    • dispatch
    • folderize
    • gentimes
    • idxprobe
    • inputcsv
    • load
    • map
    • outputatom
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • page
    • rawstats
    • save
    • sendemail
    • tagcreate
    • tagdelete
    • tags
    • tagset
    • translate
  • Deprecated search commands
    • nopartial
    • remote
    • searchps
    • select
    • streamedcsv
    • summary
    • timeline
    • uniq
• CLI command reference
  • Command Line Interface (CLI) commands
    • Syntax
    • Command list

Use Data Inputs page

This topic discusses how to use Splunk Web's Admin > Data Inputs page to add new inputs and edit existing inputs. These inputs include files, directories, FIFO queues, and network ports.

For more information about the different inputs you can add to Splunk, read About inputs.

Access Data Inputs page

In Splunk Web, you can add and manage all your data inputs from the Admin page:

1. On the upper righthand corner of any of the dashboards, click Admin.

2. From the lefthand navigation list, click Data Inputs.

This takes you to the Admin > Data Inputs: All page which tells you how many inputs you have in each category: Files & Directories, FIFO Queue, Network Ports, and Crawls.

You can add new inputs directly from this page by clicking Add input in the "Actions" column. If you want to view and edit the actual inputs, click on the input category.

Run crawls

Use the Data Inputs: Crawls page to run:

• New crawls that search for input sources to add.
• Saved crawls that update existing inputs.

Refer to Use crawl for more information on this search feature.

Add files and directories

Use the Data Inputs: Files & Directories page to view and edit properties for monitored directories and uploaded files. Configure new inputs by clicking New Inputs. Change existing inputs by clicking on the input's path in the File or Directory column.

To add a new input:

1. Click New Input.

2. Under Data access, choose one of the following options:

• Monitor a directory: to index a directory and continuously update when changes are made to that directory.
• Upload a local file: to upload a file from your machine and index it.
• Index a file on the Splunk server: to copy a file from the server directly into the your index.

3. Specify a pathname to the file or directory. If you choose to Upload a local file, you can browse for the source.

4. Under Host, select the host type under Set host and supply the required host value. Your host options depend on the data access method you selected in Step 2.

If you chose Monitor a directory, the Set host options include:

• Constant value: requires a fully qualified domain name or IP address.
• Regex on path: requires a regular expression for the host path.
• Sement in path: requires a segment number.

If you chose Upload a local file or Index a file on the Splunk server, you can only set Set host to Constant value. This requires a fully qualified domain name or IP address.

Note: Refer to the Admin manual for more information about assigning host values to an input.

5. Under Source Type, set the source type to:

• Automatic: to let Splunk define the sourcetype value.
• From list: to select from a drop-down list of existing sourcetype values.
• Manual: to supply a custom sourcetype value in the field provided.

6. Click Submit to save your new input.

Note: Refer to the Admin manual for more information about setting the source type for an input.

Add FIFO queues

Use the Data Inputs: FIFO Queues page to view and edit properties of each FIFO processed by Splunk. Configure new inputs by clicking New Inputs. Change existing inputs by clicking on the input's path in the list.

To add a new input:

1. Click New Input.

2. Under Source, type in the path to the FIFO.

3. Under Host, select the host type under Set host and supply the required host value.
Note: You only have one host type option, Constant value, which requires a Fully qualified domain name or IP address.

4. Under Source Type, set the source type to:

• From list: to select from a drop-down list of existing sourcetype values.
• Manual: to supply a custom sourcetype value in the field provided.

Note: If you chose From list, the default Source type is access_combined.

5. Click Submit to save your new input.

Add network ports

Use the Data Inputs: Network Ports page to view and edit properties for UDP or TCP ports watched by Splunk. Configure new inputs by clicking New Inputs. Change existing inputs by clicking on the input's path in the list.

To add a new input:

1. Click New Input.

2. Under Source, select a Protocol and supply a Port number:

• If you select UDP, the Port defaults to 514.
• If you select TCP, the Port defaults to 9998.

Note: The default protocol is TCP.

3. Specify whether or not you want this port to accept connections from all host (Yes) or restrict to one host (No).

If you chose No, supply the IP address of the Host in the field provided.

4. Under Source Type, set the source type to:

• From list: to select from a drop-down list of existing sourcetype values.
• Manual: to supply a custom sourcetype value in the field provided.

Note: If you chose From list, the default Source type is syslog.

5. Click Submit to save your new input.