• How Splunk Works
  • Overview of Splunk
    • Configuration options
    • Installation and upgrade
    • Data sources
    • Indexing
    • Fields
    • Search
    • Security
    • Data management
    • Deployment server
    • Performance tuning
    • Configuration files
    • Applications
    • Customization
    • Troubleshooting
• Getting Started
  • Start Splunk
    • Before you start
    • Start Splunk on non-Windows platforms
    • Start Splunk on Windows
    • Load Splunk Web in your browser
  • Administration basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Monitor a file
    • Crawl for inputs
  • Add more users
    • Splunk local users
    • Examples
  • Start searching
• Data Inputs
  • How input configuration works
    • Data input methods
    • Sources
    • Windows data sources
    • Crawl
    • Data processing
  • Files and directories
    • Splunk Web
    • CLI
    • Inputs.conf
  • Network ports
    • Splunk Web
    • CLI
    • inputs.conf
  • FIFO
    • Splunk Web
    • CLI
    • inputs.conf
  • Scripted inputs
    • Configuration
    • Example
  • Whitelist and blacklist rules
    • Whitelist (allow) files
    • Blacklist (ignore) files
    • Verify your lists
  • Crawl
    • Configuration
    • Example
  • Windows inputs
    • Configure indexing for Windows event logs
    • Configure Windows registry monitoring input
  • Windows Management Interface (WMI) input
    • Security and remote access considerations
    • Configure WMI input
    • Fields for WMI data
  • Windows registry input
    • How it works
    • Get a baseline snapshot
    • What to consider
    • Configure Windows registry input
• Data Distribution
  • How data distribution works
    • Forwarding
    • Routing
    • Cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Read this before you enable Splunk forwarder or light forwarder
    • Receiving
    • Forwarding
  • Configure target groups in outputs.conf
    • Configuration
    • Example
  • Set up routing
    • Configuration
    • Basic example
    • Advanced example
  • Route specific events to different queues
    • Configuration
    • Example: Send matching events to nullQueue
    • Example: Send matching events to indexQueue, everything else to nullQueue
  • Route specific events to an alternate index
    • Configuration
    • Example
  • Set up SSL
    • Forwarder
    • Receiver
  • Enable cloning
  • Set up data balancing
    • Configuration
    • Example
  • Route data to third-party systems
    • Configuration
    • Example
• Indexing
  • How indexing works
    • How events work
    • How segmentation works
  • Index multi-line events
    • Configuration
    • Examples
  • Configure segmentation
    • Splunk Web segmentation
  • Configure custom segmentation for a host, source, or source type
    • via props.conf
    • Example
  • Mask sensitive data in an event
    • Configuration
  • Configure character set encoding
    • Supported character sets
    • Manually specify a character set
    • Automatically specify a character set
    • If Splunk doesn't recognize a character set
  • Dynamic metadata assignment
    • Configuration
    • Set values with a script
• Timestamps
  • How Splunk extracts timestamps
    • Precedence rules for timestamp assignment
    • Configure timestamps
  • Configure timestamp extraction
    • Configure timestamp extraction in props.conf
    • Enhanced strptime() support
    • Examples
  • Apply timezone offsets
    • Configure timezone offsets in props.conf
    • zoneinfo (TZ) database
    • Configure timezone offsets for Splunk versions before 3.2
  • Recognize European date format
    • Configure European date format in literals.conf
    • Use the timeformat modifier
  • Configure positional timestamp extraction
    • Configure positional timestamp extraction in props.conf
  • Tune timestamp extraction for better indexing performance
    • Adjust timestamp lookahead
    • Turn off the timestamp processor
  • Train Splunk to recognize a timestamp
    • Steps to configure timestamps with train dates
    • Run the train dates command
    • Create a custom datetime.xml
    • Edit your local props.conf
• Fields
  • How fields work
    • Add custom fields
    • Disable automatically extracted fields
    • Indexed fields
  • Create fields via Splunk Web
  • Create fields via configuration files
    • Configuration
    • Examples
  • Create indexed fields via configuration files
    • Configuration
    • Examples
    • How indexed fields work in detail
  • Field actions
    • Configuration
    • Example
  • Configure fields.conf
    • Configuration
  • Configure multi-value fields
    • Configure multi-value fields via fields.conf
    • Example
  • Configure tags
    • Configure tags with tags.conf files
    • Examples
  • Automatic header-based field extraction
    • How automatic header-based field extraction works
    • Configure automatic header-based field extraction
    • Note about search and header-based field extraction
    • Examples
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via Splunk Web
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via Splunk Web
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Source vs source type
    • How Splunk can set sourcetype field values
    • How Splunk applies source type values (precedence)
    • Configuration files for source types
  • Rule-based association of source types
    • Configuration
    • Examples
  • Set source type for an input
    • via Splunk Web
    • via configuration files
  • Set source type for a source
    • via configuration files
  • Train Splunk to recognize a source type
    • via the CLI
  • Source type settings in props.conf
  • Configure a source type alias
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Event type discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Save event types via Splunk Web
    • Configuration
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Tag event types
    • Configuration
  • Event type discovery
    • Configure event types
  • Event type templates
    • Configuration
    • Example
  • Dynamic event rendering
    • How dynamic event rendering works
    • Configure dynamic event rendering
    • Example
• Transaction Types
  • How transactions work
    • Transaction search
    • Configure transaction types
  • Transaction types via configuration files
    • Configuration
  • Transaction search
    • Search options
    • Transactions and macro search
• Search
  • How search works
    • Saved searches
    • Alerting
    • Live tail
    • Summary indexing
  • Set up saved searches via Splunk Web
    • Save your search
    • Schedule a saved search
  • Set up saved searches via savedsearches.conf
    • Configuration
    • Example
  • Create a form search
    • Form searches with fields
    • Form searches with predefined values
    • Share your form search
  • Macro searches
    • Configure a macro search
  • Manually configure summary indexing
    • Customize summary indexing for a scheduled, saved search
    • Manually populate a manually created summary index
    • Manually configure a scheduled search to populate a summary index
    • Example of a summary index configuration
    • Other configuration files affected by summary indexing
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the Splunk CLI
    • Current limitations
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via Splunk Web
  • Enable distributed search via the CLI
    • Configuration
  • Configure distributed search via distsearch.conf
    • Configuration
    • Example
  • Exclude specific Splunk servers from distributed searches
• Alerts
  • How Alerts Work
    • Enable alerts
    • Customize alerts
    • Considerations
  • Set up alerts via Splunk Web
    • Create a saved search
    • Schedule the search
    • Define alert conditions
    • Configure alert actions
    • Set up an alert on an existing saved search
    • Specify which fields to show
    • View alert history
  • Set up alerts via savedsearches.conf
    • Create a saved search
    • Schedule the search
    • Alert conditions
    • Configure alert actions
    • Example
  • Scripted Alerts
    • Script options
    • Example
  • Customize alert options
    • Configuration
  • Send SNMP traps
    • Configuration
    • Configure your alert to call a shell script
• Security
  • Security options
    • Authentication
    • Audit
  • Enable HTTPS
    • Configuration
    • Certificates
  • SSL
    • Configuration
  • Configure roles
    • Configuration
    • Example
  • Set up LDAP
    • Configure LDAP
    • Example
    • Convert saved searches to LDAP
    • Known issues with LDAP
  • Scripted authentication
    • Known issues with scripted authentication
    • Configuration
    • Script commands
  • File system change monitor
    • How the file system change monitor works
    • Configure the file system change monitor
  • Audit events
    • Audit event composition
    • Audit event generation
    • Audit event storage
    • Audit event processing
    • Search for audit events
  • Audit event signing
    • How audit event signing works
    • Configure audit event signing
  • Event hashing
    • How event hashing works
    • Event hashing in search results
    • Configure custom decorations for Splunk Web
    • Configure event hashing
    • Configure filtering
  • IT data signing
    • How IT data signatures work
    • Configure IT data signing
    • View the integrity of IT data
    • Performance implications
  • Archive signing
    • How archive signing works
    • Verify archived data signatures
    • Configure coldToFrozen scripts
    • Sign or verify your data slices
• Data Management
  • Splunk data management
    • Index management
    • Configuration files for index management
  • Create an index
    • via Splunk Web
    • via Splunk's CLI
    • via indexes.conf
    • Delete an index
  • Remove (delete) data
    • Remove event data from an index
    • Remove user data
    • Remove all data
    • Remove events from search results
  • Export event data
    • via the CLI
    • via Splunk Web
  • Move an index
    • Configuration
  • Set a retirement and archiving policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restore archived data
    • Restore with resurrect
    • Restore a copied index archive
  • Back up your data
    • Back up your Splunk configurations only
    • Back up your indexed data
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Configuration
• Deployment Server
  • How the deployment server works
    • Server classes
    • How configuration files are deployed
    • Location of configuration files for deployment server
    • Communication between deployment server and clients
    • Where to go next
  • Configure a Splunk deployment server
    • Edit deployment.conf
    • Example
  • Configure server classes
    • Configuration
    • Example
  • Configure deployment clients
    • Enable/disable clients via the CLI
    • Enable clients via deployment.conf
    • Example
  • Sync the server and client
    • Configuration changes
• Performance Tuning
  • Performance tuning Splunk
    • Hardware considerations
    • Increase indexing performance
    • Increase search speed
    • Improve storage efficiency
    • Reduce the CPU and memory footprint
    • Utilize multiple CPUs or cores
    • 64-bit operating systems
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • Configure system memory access
    • Configure indexing properties
    • Configure Splunk Web settings
    • Configure indexed fields
    • Configure Splunk Web
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
• Configuration Files
  • How do configuration files work?
    • Configuration file directory structure
    • Configuration file precedence
  • Configure application directories
    • Make an application directory
    • Best practice
  • Configuration file list
• Applications
  • About applications
    • What are applications?
    • Where can you find them?
    • How can I tell what applications are installed?
    • Where do they fit into Splunk?
    • How do you install them?
  • About Splunk's application manager
    • View and manage applications
    • Browse SplunkBase
  • Install Splunk applications
    • via Splunk's App Manager
    • after download from SplunkBase
    • on an isolated network or machine
• Reference
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • Splunk log files
    • Internal logs
    • debug
    • log.cfg
  • Work with metrics.log
    • Use metrics.log to troubleshoot issues with data inputs
  • Log file rotation
    • How log rotation works
  • Determine what files Splunk is monitoring
    • Run listtails
  • Index SNMP events with Splunk
  • log4j
  • Strip syslog headers before processing
    • Configuration
    • Example
  • Wildcards
    • Search
    • Configuration files
  • alert_actions.conf
    • alert_actions.conf.spec
    • alert_actions.conf.example
  • app.conf
    • app.conf.spec
    • app.conf.example
  • audit.conf
    • audit.conf.spec
    • audit.conf.example
  • authentication.conf
    • authentication.conf.spec
    • authentication.conf.example
  • authorize.conf
    • authorize.conf.spec
    • authorize.conf.example
  • commands.conf
    • commands.conf.spec
    • commands.conf.example
  • crawl.conf
    • crawl.conf.example
    • crawl.conf.spec
  • decorations.conf
    • decorations.conf.spec
    • decorations.conf.example
  • deployment.conf
    • deployment.conf.spec
    • deployment.conf.example
  • distsearch.conf
    • distsearch.conf.spec
    • distsearch.conf.example
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
    • eventdiscoverer.conf.example
  • eventtypes.conf
    • eventtypes.conf.spec
    • eventtypes.conf.example
  • field_actions.conf
    • field_actions.conf.spec
    • field_actions.conf.example
  • fields.conf
    • fields.conf.spec
    • fields.conf.example
  • indexes.conf
    • indexes.conf.spec
    • indexes.conf.example
  • inputs.conf
    • inputs.conf.spec
    • inputs.conf.example
  • limits.conf
    • limits.conf.spec
    • limits.conf.example
  • literals.conf
    • literals.conf.example
  • multikv.conf
    • multikv.conf.spec
    • multikv.conf.example
  • outputs.conf
    • outputs.conf.spec
    • outputs.conf.example
  • prefs.conf
    • prefs.conf.spec
    • prefs.conf.example
  • props.conf
    • props.conf.example
    • props.conf.spec
  • props.conf (cont)
    • props.conf.spec, continued
  • regmon-filters.conf
    • regmon-filters.conf.spec
    • regmon-filters.conf.example
  • restmap.conf
    • restmap.conf.spec
    • restmap.conf.example
  • savedsearches.conf
    • savedsearches.conf.spec
    • savedsearches.conf.example
  • segmenters.conf
    • segmenters.conf.example
    • segmenters.conf.spec
  • server.conf
    • server.conf.example
    • server.conf.spec
  • setup.conf
    • setup.conf.spec
  • source-classifier.conf
    • source-classifier.conf.example
    • source-classifier.conf.spec
  • sourcetypes.conf
    • sourcetypes.conf.example
    • sourcetypes.conf.spec
  • streams.conf
    • streams.conf.example
    • streams.conf.spec
  • strings.conf
    • strings.conf.example
    • strings.conf.spec
  • sysmon.conf
    • sysmon.conf.example
    • sysmon.conf.spec
  • tags.conf
    • tags.conf.example
    • tags.conf.spec
  • transactiontypes.conf
    • transactiontypes.conf.spec
    • transactiontypes.conf.example
  • transforms.conf
    • transforms.conf.spec
    • transforms.conf.example
  • user-seed.conf
    • user-seed.conf.example
    • user-seed.conf.spec
  • web.conf
    • web.conf.example
    • web.conf.spec
  • wmi.conf
    • wmi.conf.example
    • wmi.conf.spec
• Troubleshooting
  • Contact Support
    • diag
    • Log levels and starting in debug mode
    • Debug Splunk Web
    • Core Files
    • LDAP configurations
  • Splunkd is down
    • Splunkd may need a few more seconds to come up
    • Your license file contains line-breaks or other hidden characters
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • I installed my license in a Preview release and now it doesn't work!
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Unable to get a properly formatted response from the server
  • Command line tools
    • cmd
    • btool
    • classify
    • gzdumper
    • listtails
    • locktest
    • locktool
    • parsetest
    • pcregextest
    • regextest
    • searchtest
    • signtool
    • tsidxprobe

How input configuration works

Splunk consumes any data you point it at. Before indexing data, you must add your data source as an input. The source is then listed as one of Splunk's default fields (whether it's a file, directory or network port).

Note: Splunk looks for the inputs it is configured to monitor every 24 hours starting from the time it was last restarted. This means that if you add a stanza to monitor a directory or file that doesn't exist yet, it could take up to 24 hours for Splunk to start indexing its contents. To ensure that your input is immediately recognized and indexed, add the input via Splunk Web or by using the add command in the CLI.

Data input methods

Specify data inputs via the following methods:

• Splunk Web.
• Splunk's CLI.
• The inputs.conf configuration file.
• Data distribution.

Most data sources can be specified via Splunk Web. For more extensive configuration options, use inputs.conf. Changes made via Splunk Web or the Splunk CLI are written to $SPLUNK_HOME/etc/system/local/inputs.conf. Configure Windows inputs via inputs.conf as well.

Sources

Splunk accepts data inputs from a wide range of sources. Here's a basic overview of your options. Read on through the Data Inputs and Data Distribution sections of this manual for configuration specifics.

Files and directories

Many data inputs come directly from files and directories. For the most part, you can use Splunk's monitor processor to index data in files and directories. If you have a large archive of historical data, you may want to use batch. Data sent via batch is loaded once and the original files are deleted when Splunk is done indexing them. Keep this in mind when using batch input.

You can also configure Splunk's file system change monitor to watch for changes in your file system. However, you cannot currently use both monitor and file system change monitor to follow the same directory or file. If you want to see changes in a directory, use file system change monitor. If you want to index new events in a directory, use monitor.

To configure files and directories, see files and directories.

To configure file system change monitor, see the page on file system change monitor.

Monitor

Specify a path to a file or directory and Splunk's monitor processor consumes any new input. You can also specify a mounted or shared directory, as long as the Splunk server can see the directory. If the specified directory contains subdirectories, Splunk recursively examines them for new files. Splunk only checks for files and directories each time the Splunk server starts/restarts, so be sure to add new sources when they become available if you don't want to restart the server. You can also use crawl to discover new sources

When using monitor:

• Files can be opened or closed for writing. Splunk consumes files even if they're still being written to by the operating system.
• Files or directories can be included or excluded via whitelists and blacklists. For more information, see "Whitelist and blacklist rules" in this manual.
• Upon restart, Splunk continues processing files where it left off.
• Splunk unpacks compressed archive files before it reads them. Splunk can handle the following common archive filetypes: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z, and it processes compressed files according to their extension. Keep in mind that unpacking large amounts of compressed files can cause performance issues, so you may want to store old archive files where they are not monitored by Splunk.
• Splunk detects log file rotation and does not process renamed files it has already indexed, with the exception of archive filetypes such as .tar and .gz, which it will not recognize as being the same as the uncompressed originals (you can exclude them with the blacklist functionality mentioned above). For more information see "Log file rotation" in this manual.
• The entire path dir/filename for a monitored file must not exceed 1024 characters.
• Set the sourcetype to Automatic when you monitor a directory. If the directory contains multiple files of different formats, do not set a value for the source type manually. Manually setting a source type forces a single source type for all files in that directory.
• Removing an input does not stop Splunk from indexing files. Instead, it stops Splunk from checking files checked again. Splunk will continue to index all the initial content. To stop all in-process data, you must restart the Splunk server.

Note: Splunk looks for the inputs it is configured to monitor every 24 hours starting from the time it was last restarted. This means that if you add a stanza to monitor a directory or file that doesn't exist yet, it could take up to 24 hours for Splunk to start indexing its contents. To ensure that your input is immediately recognized and indexed, add the input via Splunk Web or by using the add command in the CLI.

Important: To avoid performance issues, Splunk recommends that you set followTail=1 in inputs.conf if you are deploying Splunk to systems containing significant quantities of historical data. Setting followTail=1 for a monitor input means that any new incoming data is indexed when it arrives, but anything already in files on the system when Splunk was first started will not be processed.

Upload files

Upload files directly through Splunk Web. If necessary, Splunk uncompresses files before indexing.

Use the batch processor at the CLI to load files once and destructively. By default, Splunk's batch processor is located in $SPLUNK_HOME/var/spool/splunk. If you move a file into this directory, Splunk indexes it and deletes it. You should only use this for large archives of historical data. For most inputs, use monitor.

FIFO queues

Caution: Due to their vulnerability, FIFOs are not recommended. Monitor is a more reliable, stable method. Support FIFO inputs is deprecated and will be removed in a future release of Splunk.

A FIFO (AKA named pipe) is a queue of data maintained in memory. File systems can write log messages directly to a FIFO. Splunk then accesses the FIFO as though it were a file. FIFO access is very fast, but FIFOs are vulnerable when there are processing disruptions because the in-memory data may be lost.

To configure FIFO cues, see this page.

Network ports

You can configure Splunk with an Enterprise license to listen on any network port. This is the best method to send data to your Splunk server from any machine (see data distribution for more information). When configuring network ports, keep in mind that you cannot use ports lower than 1024 if you have not installed Splunk as root.

To configure network ports, see this page.

UDP

UDP is a best effort protocol, so you might not get messages if the network is clogged or goes down. You also can't be absolutely sure the messages aren't spoofed or altered in transit. Use UDP for day-to-day troubleshooting rather than compliance or security.

Splunk with an Enterprise license can read directly from the network on any UDP port. Use this configuration to make Splunk act directly as a syslog server by reading remote syslog events on UDP port 514. You can also send any other UDP source of logging data.

TCP

TCP is a reliable, high-performance choice for many situations, as TCP checks to ensure that data has arrived safely and intact. Splunk with an Enterprise license can receive data on any TCP port, allowing Splunk to receive remote data from syslog-ng and other syslog implementations that use TCP for security or reliability. TCP is the foundation of Splunk's data distribution architecture.

Scripted inputs

Configure Splunk to run shell commands on a schedule, and then index the output.

For example:

• vmstat, iostat, netstat, and any other network or system status commands.
• SQL DBI.
• HTTP and HTTPS requests.
• SNMP.

See configure scripted inputs for details on setting this up.

Windows data sources

By default, Splunk for Windows indexes all Windows Application, System, and Security event logs. Splunk for Windows can also monitor and index changes to your registry and accept WMI data input. For more information on configuring Splunk for Windows, see this page.

Crawl

Discover new inputs automatically. Crawl uses rules you configure to traverse any given directory structure. Splunk adds new inputs you find via crawl to inputs.conf.

Data processing

Once Splunk consumes data, it sends it to the universal processing pipeline, where it further processes your data. Splunk automatically learns event boundaries, classifies events and sources, and finds timestamps. However, you may want to customize Splunk's default processing. Change processing settings and indexing properties via props.conf.

Some attributes within props.conf can be customized by defining new stanzas in other configuration files. For example, transforms.conf defines regex-based rules for extracting fields, correlating events and performing other transformations. Segmenters.conf and outputs.conf can also define attribute values referenced by props.conf.

Common use cases for custom indexing properties include:

• Define additional indexed or extracted fields.
• Override the value of host on a per-event basis, such as for syslog coming from multiple servers.
• Customize how Splunk recognizes timestamps.
• Change how Splunk recognizes multi-line event boundaries.
• Mask sensitive data in an event, such as social security numbers.
• Customize how Splunk segments events in its index.