• How Splunk Works
  • Overview of Splunk
    • Configuration options
    • Installation and upgrade
    • Data inputs
    • Indexing
    • Fields
    • Search
    • Security
    • Data management
    • Deployment server
    • Performance tuning
    • Configuration files
    • Applications
    • Customization
    • Troubleshooting
• Getting Started
  • Start Splunk
    • Before you start
    • Start Splunk on non-Windows platforms
    • Start Splunk on Windows
    • Load Splunk Web in your browser
  • Administration basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Add Data
    • Monitor a file
    • Crawl for inputs
  • Add more users
    • Splunk local users
  • Start searching
• Data Inputs
  • How input configuration works
    • Files and directories
    • Network ports
    • Scripted inputs
    • Indexing properties
  • Configure inputs via Splunk Web
    • Configuration
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
  • Configure inputs via inputs.conf
    • Configuration
    • Global settings
    • Input types
    • Examples
  • Configure inputs for Windows
    • Configure indexing for Windows event logs
    • Configure Windows registry monitoring input
  • WMI input
    • Security and remote access considerations
    • Configure WMI input
    • Source and source type for WMI data
  • Windows registry input
    • How it works
    • Get a baseline snapshot
    • What to consider
    • Configure Windows registry input
  • Configure crawl
    • Configuration
    • Example
  • Scripted inputs
    • Configuration
    • Example
  • Configure whitelist and blacklist rules
    • Whitelist (allow) files
    • Blacklist (ignore) files
    • Verify your lists
  • Log file rotation
    • How log rotation works
  • Strip syslog headers before processing
    • Configuration
    • Example
  • Determine what files Splunk is monitoring
    • Run listtails
  • Index SNMP events with Splunk
  • log4j
• Data Distribution
  • How data distribution works
    • Forwarding
    • Routing
    • Cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lightweight forwarding
  • Configure target groups in outputs.conf
    • Configuration
    • Example
  • Set up routing
    • Configuration
    • Basic example
    • Advanced example
  • Route specific events to different queues
    • Configuration
    • Example: Send matching events to nullQueue
    • Example: Send matching events to indexQueue, everything else to nullQueue
  • Route specific events to an alternate index
    • Configuration
    • Example
  • Set up SSL
    • Forwarder
    • Receiver
  • Enable cloning
  • Set up data balancing
    • Configuration
    • Example
  • Route data to third-party systems
    • Configuration
    • Example
• Indexes
  • How indexing works
    • How events work
    • How segmentation works
  • Index multi-line events
    • Configuration
    • Examples
  • Configure segmentation
    • Splunk Web segmentation
  • Configure custom segmentation for a host, source, or source type
    • via props.conf
    • Example
  • Mask sensitive data in an event
    • Configuration
  • Configure character set encoding
    • Supported character sets
    • Manually specify a character set
    • Automatically specify a character set
    • If Splunk doesn't recognize a character set
  • Dynamic metadata assignment
    • Configuration
    • Set values with a script
• Timestamps
  • How timestamp extraction works
    • Precedence rules for timestamp assignment
    • Configure timestamps
  • Configure timestamp extraction
    • Configure timestamp extraction in props.conf
    • Enhanced strptime() support
    • Examples
  • Configure timezone offsets
    • Configure timezone offsets in props.conf
    • zoneinfo (TZ) database
    • Configure timezone offsets for Splunk versions before 3.2
  • Configure European date formats
    • Configure European date format in literals.conf
    • Use the timeformat modifier
  • Configure positional timestamp extraction
    • Configure positional timestamp extraction in props.conf
  • Tune timestamp extraction for better indexing performance
    • Adjust timestamp lookahead
    • Turn off the timestamp processor
  • Train Splunk to recognize a timestamp
    • Steps to configure timestamps with train dates
    • Run the train dates command
    • Create a custom datetime.xml
    • Edit your local props.conf
• Fields
  • How fields work
    • Indexed vs. extracted fields
    • Configure fields
    • Disable automatically extracted fields
    • Configuration files for fields
  • Create indexed fields via configuration files
    • Configuration
    • Example
  • Create extracted fields via configuration files
    • Configuration
    • Example
    • Extract fields from multi-line events
  • Create extracted fields via Splunk Web
  • Field actions
    • Configuration
    • Example
  • Configure fields.conf
    • Configuration
  • Configure multi-value fields
    • Configure multi-value fields via fields.conf
    • Example
  • Configure tags
    • Configure tags vis tags.conf
    • Examples
  • Automatic header-based field extraction
    • How automatic header-based field extraction works
    • Configure automatic header-based field extraction
    • Note about search and header-based field extraction
    • Examples
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via Splunk Web
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via Splunk Web
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Source vs source type
    • How Splunk can set sourcetype field values
    • How Splunk applies source type values (precedence)
    • Configuration files for source types
  • Rule-based association of source types
    • Configuration
    • Examples
  • Set source type for an input
    • via Splunk Web
    • via configuration files
  • Set source type for a source
    • via configuration files
  • Train Splunk to recognize a source type
    • via the CLI
  • Source type settings in props.conf
  • Configure a source type alias
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Event type discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Save event types via Splunk Web
    • Configuration
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Tag event types
    • Configuration
  • Event type discovery
    • Configure event types
  • Event type templates
    • Configuration
    • Example
  • Dynamic event rendering
    • How dynamic event rendering works
    • Configure dynamic event rendering
    • Example
• Transaction Types
  • How transaction types work
    • Define transactions
    • Sample use cases
  • Transaction types via configuration files
    • Configuration
    • Example
  • Transaction search
    • Transactions and macro search
• Search
  • How search works
    • Saved searches
    • Alerting
    • Live tail
    • Summary indexing
  • Set up saved searches
    • via Splunk Web
  • Set up saved searches via savedsearches.conf
    • Configuration
    • Example
  • Set up alerts via Splunk Web
    • Set up an alert
    • Specify which fields to show
  • Set up alerts via savedsearches.conf
    • alerting options
    • display options
    • Script options
    • Example
  • Customize alert options
    • Email options
    • Additional alert customizations
  • Create a form search
    • Form searches with fields
    • Form searches with predefined values
    • Share your form search
  • Macro searches
    • Configure a macro search
  • Configure summary indexing
    • Summary indexing and license volume
    • Manually configure summary indexing
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the Splunk CLI
    • Current limitations
  • Send syslog events
    • Configuration
    • Example
  • Send SNMP traps
    • Configuration
    • Configure your alert to call a shell script
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via Splunk Web
  • Enable distributed search via the CLI
    • Configuration
  • Configure distributed search via distsearch.conf
    • Configuration
    • Example
  • Exclude specific Splunk servers from distributed searches
• Security
  • Security options
    • Authentication
    • Audit
  • Enable HTTPS
    • Configuration
    • Certificates
  • SSL
    • Configuration
  • Configure roles
    • Configuration
    • Example
  • Set up LDAP
    • Configure LDAP
    • Example
    • Known issues with LDAP
  • Scripted authentication
    • Known issues with scripted auth
    • Configuration
    • Script commands
  • File system change monitor
    • How the file system change monitor works
    • Configure the file system change monitor
  • Audit events
    • Audit event composition
    • Audit event generation
    • Audit event storage
    • Audit event processing
    • Search for audit events
  • Audit event signing
    • How audit event signing works
    • Configure audit event signing
  • Event hashing
    • How event hashing works
    • Event hashing in search results
    • Configure custom decorations for Splunk Web
    • Configure event hashing
    • Configure filtering
  • IT data signing
    • How IT data signatures work
    • Configure IT data signing
    • View the integrity of IT data
    • Performance implications
  • Archive signing
    • How archive signing works
    • Verify archived data signatures
    • Configure coldToFrozen scripts
    • Sign or verify your data slices
• Data Management
  • Splunk data management
    • Index management
    • Configuration files for index management
  • Create an index
    • via Splunk Web
    • via Splunk's CLI
    • via indexes.conf
    • Delete an index
  • Remove (delete) data
    • Remove event data from an index
    • Remove global data
    • Remove user data
    • Remove all data
    • Remove events from search results
  • Move an index
    • Configuration
  • Set a retirement and archiving policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Export event data
    • via the CLI
    • via Splunk Web
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Configuration
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Configuration
    • Example
  • Configure server classes
    • Configuration
    • Example
  • Configure deployment clients
    • Enable/disable clients via the CLI
    • Enable clients via deployment.conf
    • Example
  • Sync the server and client
    • Configuration changes
• Performance Tuning
  • Performance tuning Splunk
    • Hardware considerations
    • Increase indexing performance
    • Increase search speed
    • Improve storage efficiency
    • Reduce the CPU and memory footprint
    • Utilize multiple CPUs
    • 64-bit operating systems
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • indexes.conf
    • props.conf
    • web.conf
    • fields.conf
    • Configure Splunk Web
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Splunk backup options
    • Back up configurations
    • Back up your entire installation
  • Restore archived data
    • Restore with resurrect
    • Restore a copied index archive
• Configuration Files
  • How do configuration files work?
    • Configuration file directory structure
    • Configuration file precedence
  • Configure application directories
    • Make an application directory
    • Best practice
  • Configuration file list
• Applications
  • About applications
    • What are applications?
    • Where do they fit into Splunk?
    • Where can you find them?
    • How do you install them?
  • Install Splunk applications
    • via Splunk's App Manager
    • after download from SplunkBase
    • on an isolated network or machine
  • How to use Splunk-2-Nagios
    • What Splunk-2-Nagios does
    • What Nagios logs
    • Install Splunk-2-Nagios
    • Deployment notes
• Reference
  • Splunk log files
    • Internal logs
    • debug
    • log.cfg
  • Work with metrics.log
    • Use metrics.log to troubleshoot issues with data inputs
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • alert_actions.conf
    • alert_actions.conf.spec
    • alert_actions.conf.example
  • app.conf
    • app.conf.spec
    • app.conf.example
  • audit.conf
    • audit.conf.spec
    • audit.conf.example
  • authentication.conf
    • authentication.conf.spec
    • authentication.conf.example
  • authorize.conf
    • authorize.conf.spec
    • authorize.conf.example
  • commands.conf
    • commands.conf.spec
    • commands.conf.example
  • crawl.conf
    • crawl.conf.example
    • crawl.conf.spec
  • decorations.conf
    • decorations.conf.spec
    • decorations.conf.example
  • deployment.conf
    • deployment.conf.spec
    • deployment.conf.example
  • distsearch.conf
    • distsearch.conf.spec
    • distsearch.conf.example
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
    • eventdiscoverer.conf.example
  • eventtypes.conf
    • eventtypes.conf.spec
    • eventtypes.conf.example
  • field_actions.conf
    • field_actions.conf.spec
    • field_actions.conf.example
  • fields.conf
    • fields.conf.spec
    • fields.conf.example
  • indexes.conf
    • indexes.conf.spec
    • indexes.conf.example
  • inputs.conf
    • inputs.conf.spec
    • inputs.conf.example
  • limits.conf
    • limits.conf.spec
    • limits.conf.example
  • literals.conf
    • literals.conf.example
  • multikv.conf
    • multikv.conf.spec
    • multikv.conf.example
  • outputs.conf
    • outputs.conf.spec
    • outputs.conf.example
  • prefs.conf
    • prefs.conf.spec
    • prefs.conf.example
  • props.conf
    • props.conf.example
    • props.conf.spec
  • props.conf (cont)
    • props.conf.spec, continued
  • regmon-filters.conf
    • regmon-filters.conf.spec
    • regmon-filters.conf.example
  • restmap.conf
    • restmap.conf.example
    • restmap.conf.spec
  • savedsearches.conf
    • savedsearches.conf.example
    • savedsearches.conf.spec
  • segmenters.conf
    • segmenters.conf.example
    • segmenters.conf.spec
  • server.conf
    • server.conf.example
    • server.conf.spec
  • source-classifier.conf
    • source-classifier.conf.example
    • source-classifier.conf.spec
  • sourcetypes.conf
    • sourcetypes.conf.example
    • sourcetypes.conf.spec
  • streams.conf
    • streams.conf.example
    • streams.conf.spec
  • strings.conf
    • strings.conf.example
    • strings.conf.spec
  • sysmon.conf
    • sysmon.conf.example
    • sysmon.conf.spec
  • tags.conf
    • tags.conf.spec
    • tags.conf.spec
  • transactiontypes.conf
    • transactiontypes.conf.example
    • transactiontypes.conf.spec
  • transforms.conf
    • transforms.conf.example
    • transforms.conf.spec
  • user-seed.conf
    • user-seed.conf.example
    • user-seed.conf.spec
  • web.conf
    • web.conf.example
    • web.conf.spec
  • wmi.conf
    • wmi.conf.example
    • wmi.conf.spec
• Troubleshooting
  • Contact Support
    • infoGather
    • Log levels and starting in debug mode
    • Debug Splunk Web
    • Core Files
    • LDAP configurations
  • Splunkd is down
    • Splunkd may need a few more seconds to come up
    • Your license file contains line-breaks or other hidden characters
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • I installed my license in a Preview release and now it doesn't work!
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Unable to get a properly formatted response from the server
  • Command line tools
    • btool
    • classify
    • exporttool
    • gzdumper
    • listtails
    • locktest
    • locktool
    • parsetest
    • pcregextest
    • regextest
    • searchtest
    • signtool
    • tsidxprobe

How input configuration works

Specify data inputs via Splunk's CLI or Splunk Web. You may also use inputs.conf (read more about how to configure inputs via inputs.conf). Changes made via Splunk Web or the Splunk CLI are written to $SPLUNK_HOME/etc/system/local/inputs.conf. Configure Windows inputs via inputs.conf as well.

Read on for a description of Splunk's data input types, including their purpose and behavior.

Files and directories

Data inputs can come from files and directories. Use monitor for continuous, non-destructive inputs from files and directories. Use batch input for one time, destructive file loading.

Monitor

Splunk's monitor behaves like the UNIX tail command. Specify a path to a file or directory and Splunk's monitor processor consumes any new input. If subdirectories exist within the specified directory, Splunk recursively examines them for log files. Splunk automatically adds any new files into the index.

In addition, when monitoring a file:

• Files can be opened or closed.
• Files or directories can be included or excluded through the use of file whitelists and blacklists.
• Upon restart, Splunk continues processing files from where it left off.
• Splunk detects log file rotation and does not process renamed files it has already indexed.

Note: If you are monitoring large files or archives, removing the input does not stop those files being indexed. This does stop files from being checked again, but all the initial content will be indexed. To stop all in-process data, you must restart the Splunk server.

When monitoring a directory:

• Set the sourcetype to Automatic. If the directory contains multiple files of different format, do not set a value for the source type manually. Manually setting a source type forces a single source type for all files in that directory.

Note: If the specified file or directory does not exist, the Splunk server will not check to see if it is created later. Splunk only checks for files and directories each time the Splunk server starts (or is restarted). So be sure to explicitly add new files as inputs when they become available if you don't want to restart the server. When monitoring a file, the entire path dir/filename must not exceed 1024 characters.

Batch upload

Upload files directly through Splunk Web. If necessary, Splunk unpacks and uncompresses files before indexing.

Use the batch processor at the CLI or in inputs.conf to load files once and destructively. By default, Splunk's batch processor is located in $SPLUNK_HOME/var/spool/splunk. For continuous, non-destructive loading of files, use monitor.

FIFO queues

A FIFO (AKA named pipe) is a queue of data maintained in memory. File systems can write log messages directly to a FIFO. Splunk then accesses the FIFO as though it were a file. When choosing the FIFO data input method, consider the following:

• FIFO queues can be a high performance method to get data into Splunk, since the system does not have the I/O burden of writing to both a file on disk and Splunk's index on disk (like monitor).

• FIFO access is very fast, but FIFOs are vulnerable when there are processing disruptions because the in-memory data may be lost.

• You do not have to worry about log file rotation and archiving because the data goes straight from the logging application into Splunk via the queue. There is nothing on disk to manage except for Splunk's index.

• Most syslog implementations can write to FIFO queues in addition to or instead of files.

• Other applications can write to FIFO queues instead of files by just changing a logfile name parameter from a filename to a defined FIFO queue.

Note: FIFOs are not recommended for application servers forwarding data to Splunk in a distributed setting. Monitor is a more reliable, stable method.

Network ports

UDP and TCP ports can feed data into the Splunk Server. UDP and TCP behave differently, and these behaviors affect how data arrives for processing. When configuring network ports, keep in mind that you cannot use ports lower than 1024 if you have not installed Splunk as root.

UDP

UDP is a best effort protocol. This means that you might not get messages if the network is clogged, or has a hiccup. You also can't be absolutely sure the messages aren't spoofed or altered in transit. UDP should be reserved for logging implementations focused on day-to-day troubleshooting rather than compliance or security.

Splunk with an Enterprise license can read directly from the network on any UDP port. Use this configuration to make Splunk act directly as a syslog server by reading remote syslog events on UDP port 514. You can also send any other UDP source of logging data, including SNMP.

Like all network streaming approaches, direct UDP input is higher performance than reading files from disk.

TCP

TCP is a reliable, high-performance choice for many situations, as this protocol includes checks to ensure that data has arrived safely and intact. Splunk with an Enterprise license can receive data on any TCP port, allowing Splunk to receive remote data from syslog-ng and other syslog implementations that use TCP for security or reliability. TCP is the foundation of Splunk's distributed data access.

Note: If the sending process buffers data such that events are broken into multiple pieces, Splunk may interpret the parts as multiple events. This is more likely if events are being generated intermittently, as there may be long pauses (several seconds or longer) between blocks of buffered data. If you notice truncated events, try forcing the process to send events atomically.

Scripted inputs

Configure Splunk to run shell commands on a schedule, and then index the output. For example:

• vmstat, iostat, netstat, and any other network or system status commands.
• SQL DBI
• HTTP and HTTPS requests
• SNMP

See Configure scripted inputs for details on how to set this up.

Indexing properties

Splunk can process any data, regardless of format and it automatically learns event boundaries, classifies events and sources, and finds timestamps. However, sometimes you may want to customize Splunk's default processing. Change processing settings and indexing properties in props.conf.

Some attributes within props.conf can be customized by defining new stanzas in other configuration files. For example, transforms.conf defines regex-based rules for extracting fields, correlating events and performing other transformations. Segmenters.conf and outputs.conf can also define attribute values referenced by props.conf.

Common use cases for custom indexing properties include:

• define additional indexed or extracted fields.
• overriding the value of host on a per-event basis, such as for syslog coming from multiple servers.
• correcting or optimizing how Splunk recognizes timestamps.
• correcting or changing how Splunk recognizes multi-line event boundaries.
• masking sensitive data in an event, such as social security numbers.
• changing how Splunk segments events in its index.