This document last updated: 07/03/08 06:07pm

Print Admin Manual

How Splunk Works

Overview of Splunk

Splunk is search software for any type of data. Learn more about how Splunk works by reading through this introductory page. You'll find many links here for installing, configuring and customizing your Splunk installation.

Configuration options

Splunk has several options for configuration: a web interface (known as Splunk Web), a CLI and configuration files. Most of Splunk's configurations can be reached through the Admin section of Splunk Web. Some advanced settings are only available through configuration files.

Installation and upgrade

Installing Splunk is easy and fast. Here are instructions for installing, upgrading, or backing up an existing copy.

• Installation
  • Installation instructions for all supported platforms can be found in the Installation Manual
  • On *nix platforms, use a tarball or RPM file.
  • On Mac, use a tarball or DMG file.
  • On Windows, download the .exe file and install. Instructions for Windows install are located here.
• Upgrade
  • There are a lot of new features available in 3.3. You may want to consider an upgrade if you are running an earlier version.
  • Upgrade instructions are here.

• It's a good idea to back up your current instance before you upgrade.

Data inputs

Splunk can receive data in a variety of ways. Each configuration change can be affected via:

• Splunk Web
  • Upon first run, Splunk contains a link to enable monitoring /var/log.
  • Configure other inputs through the Admin section of Splunk Web.
• CLI
  • Use Splunk's CLI to set up data inputs.
• Configuration files
  • Use inputs.conf to configure advanced input settings.
• Crawl
  • Use Splunk's new Crawl feature to search for new data inputs and files on your Splunk server.

Read on for a brief description of each input type.

• Monitor
  • Use monitor to stream live data into Splunk.
  • Monitor works for continuous inputs from files or directories.
• Upload
  • Upload a file directly to Splunk Web.
  • Files can be local to the workstation or on the Splunk server.
• Network ports
  • Splunk supports UDP and TCP connections.
  • Configure syslog on UDP 514.
  • Use TCP connections for log4j.
• Distributed
  • One Splunk Server can receive data from any number of other Splunk Servers via data distribution (description below).
  • This port is configurable, but defaults to 9998.
• Scripted inputs
  • Use scripted inputs to receive the outputs of command-line tools (such as vmstat, iostat, netstat, top, etc.) or other programs.
  • Learn more about scripted inputs.

Note: For a more in-depth description of inputs, read how input configuration works.

Windows

Splunk for Windows comes with its own set of configuration files for setting up Windows-specific inputs, including Windows registry and WMI. Read more about configuring Windows inputs.

Distributed data

Configure distributed inputs and outputs across your network. Send data between one Splunk instance and another, or third party software. For an overview on all the available configuration options, see How data distribution works.

• Forwarding and receiving
  • A Splunk Server in forwarding mode can send data to one or more Splunk instances.
  • Any Splunk Server can receive data from one or more Splunk instances.
  • Learn more about forwarding and receiving.

• 3rd party systems
  • Splunk can also forward raw data to any other system or software.
  • You can set up Splunk to send or receive data from 3rd party systems. Learn how.

Indexing

Splunk takes all data from inputs and sends it to an indexing pipeline. Data is then broken up into separate events via segmentation rules. Most data is segmented and timestamped correctly. However, you may wish to configure Splunk to index your data in particular ways. Learn more about how indexing works.

Here are some things you might want to consider:

• Configure event boundaries
• Configure segmentation
• Mask sensitive data
• Character set
• Timestamp recognition

Configuration for indexing is set mostly through props.conf and transforms.conf.

Fields

Fields are a useful aspect of Splunk's search interface. You can use Splunk's built-in fields that are enabled by default. Here's a list of Splunk's default fields, including links to more in-depth documentation:

• Source
  • The source field specifies the path to the original data input.
  • It is set automatically, but can be tagged.
• Host
  • Host is the label for the device that originated the event.
  • Read more about host.
• Source type
  • A source type refers to any common format of data produced by a group of sources, such as weblogic or syslog.
  • Learn more about source types.
• Event types
  • Event types are groups of common events.
  • Learn more about event types.

You can also create your own fields. Custom fields are useful for:

• Customizing searches (see below for search options).
• Creating field actions.
• Enabling event type templates.

To learn more about creating custom fields, see how fields work.

Search

Splunk's search interface is useful for tracking down different aspects of your data. Here are a few things you can do with your searches:

• Search commands.
  • Splunk has a powerful search language.
  • Craft simple to sophisticated searches.
• Save searches.
  • Any search can be saved and run at any time.
  • Save searches with variables to fill in at search time, including:
    • Form search.
    • Macro search.
• LiveTail
  • Run a search to watch data in real time as it's indexed, like tail -f in *nix.
  • Read more about Live Tail.
• Alerts
  • Schedule Splunk to send search results via email or RSS.
• Summary indexing
  • Save the output of any search to a special index.
• Transactions
  • Search for transactions that occur across events, such as email threads, store purchases

For a more detailed overview of search, see how search works.

Distributed search

In a distributed set up, you may want to search across multiple instances of Splunk. Enable distributed search to federate searches across your entire Splunk deployment. Read more about how distributed search works.

Security

Secure your Splunk server with the following security configuration options. Here's a brief overview of the available features. For a more detailed overview, see security options.

Authentication

Splunk includes several authentication options, including:

• Roles, which allow you to set up:
  • User roles capabilities.
  • User-based access controls.
• LDAP
  • Set up LDAP.
• SSL
  • Enable HTTPS.
  • Or SSL for Splunk's back-end.

Audit

Use the following options to enable separate auditing configurations:

• File system monitor
  • The file system change monitor watches any designated file system and sends an event if files or directories are affected in any way.
  • By default, Splunk monitors its own $SPLUNK_HOME/etc/ directory for configuration changes.
• Audit events
  • Events generated by the file system change monitor as well as user activity within Splunk.
  • Audit events are stored in a separate index, _audit.
• Audit event signing
  • Set up cryptographic signing for audit events.
• IT data signing
  • Enable cryptographic signing for all your events as they enter Splunk.
• Archive signing
  • Sign your data as it is archived.
• Event decorations
  • Mark your audit events with icons so they're more noticeable.

Data management

Splunk servers often index large amounts of data each day. You may want to enable advanced settings to handle the following data management scenarios.

• Index management, including:
  • Add or remove an index.
  • Delete data from the index.
  • Move an index.

• Data archiving, including:
  • Set retirement policy.
  • Automate archiving.
  • Restore archived data.
  • Export event data.

• Storage options:
  • Disk usage.
  • Use separate partitions for Splunk's data store.
  • Use WORM (Write Once Read Many) volumes for Splunk's data store.

Note: Many data management settings are enabled on a per-index basis, using indexes.conf. To learn more about indexes, see how indexes work.

Deployment server

In a distributed set up, enable one or more Splunk instances as deployment servers. A deployment server pushes out configuration changes to other Splunk instances.

For a complete overview of all deployment options, read the Deployment manual. For instructions on configuring and enabling the deployment server and clients, read the Admin manual section on the deployment server.

Performance tuning

The following options help you tune Splunk's performance for your environment. Depending on your system and requirements, you may want to change one or more of the following settings:

• Indexing
  • Change various configurations to speed up Splunk's intake of data.
• Search
  • Settings for faster return of search results.
• Storage efficiency
  • Cut down on the space of your Splunk index.
• CPU and memory footprint
  • Tune Splunk's CPU usage and memory settings.
• Backup
  • Back up your Splunk install.
  • Note: It is a good idea to backup Splunk before performing any migrations or upgrades.

A more in-depth overview of performance tuning options is available here.

Configuration files

Many of Splunk's advanced configurations and customizations are available only through configuration files. Create configurations by copying files into a custom application directory. Learn more about application directories and configuring application directories.

Applications

Applications are directories of configuration files with specific purposes. For example, Splunk-2-Netcool. Configure your own applications by following these instructions.

You can also share your configuration file directories as applications with the Splunk community on SplunkBase.

Customization

Pimp your Splunk! Everybody's data is a little bit different. Maybe you want to set custom configurations for the system you're running Splunk on. Here are options for personalizing your Splunk instance.

Splunk Web appearance

Change various aspects of Splunk Web's appearance:

• Dashboards
  • Configure user settings and dashboards via prefs.conf.
• Decorations
  • Set icons for event types with dynamic event rendering.
• Literals
  • Change the externalized strings in Splunk Web via literals.conf.
• Skinning
  • Change the way your web interface looks.
  • Read the Developer's Guide for help with skinning Splunk.

Extend Splunk

Splunk includes a REST API. Read the Developer's Guide to learn more about the REST API. To configure additional REST endpoints, use restmap.conf.

Troubleshooting

If there's something you need help with, even after reading the documentation, contact Splunk support.

If there's a feature you don't see here that you want included, file an enhancement request with Splunk support.

We're always interested in your feedback.

• Splunk support.
• Splunk forums.

Getting Started

Start Splunk

This topic serves only as a brief instruction to starting Splunk. If you are new to Splunk, we recommending reviewing the User Manual first.

Before you start

Before starting Splunk, install the software. Refer to the Installation Manual for system requirements and step-by-step instructions. Make sure you install the correct version of Splunk and that you are installing on a supported filesystem.

Start Splunk on non-Windows platforms

Splunk's command line interface is located in $SPLUNK_HOME/bin/. $SPLUNK_HOME refers to the path you installed under. Navigate to this location and run the following command:

# ./splunk start

You must accept Splunk's EULA the first time you start Splunk after a new installation. To bypass this step, start Splunk and accept the license in one step:

# ./splunk start --accept-license

NOTE: There are two dashes before the accept-license option.

Start Splunk on Windows

On Windows, Splunk is installed by default into \Program Files\Splunk

Start and stop the following Splunk processes via the Windows Services Manager:

• Server daemon: splunkd
• Web interface: splunkweb

You can also start, stop, and restart both processes at once by going to \Program Files\Splunk\bin and typing
# splunk.exe [start|stop|restart]

Load Splunk Web in your browser

Navigate to:

http://mysplunkhost:8000

Use whatever host and port you chose during installation.

The first time you login to Splunk with an Enterprise license, use username admin and password changeme. Splunk with a free license does not have access controls.

Administration basics

The $SPLUNK_HOME variable refers to the top level directory of your installation. By default, this is /opt/splunk/.

Add Splunk to your shell path

To save a lot of typing, set a SPLUNK_HOME environment variable and add $SPLUNK_HOME/bin to your shell's path. The example below works for bash users who accepted the default installation location. Use the correct syntax and path for your own installation.

# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH

Splunk's CLI

Splunk's command line interface is located in $SPLUNK_HOME/bin/. If you have exported the path and environment variables (as explained above), you can use the splunk command as follows:

# splunk [action] [object] [-parameter value] ....

If you haven't set an environment variable, navigate to $SPLUNK_HOME/bin/ and run commands as follows:

#./splunk [action] [object] [-parameter value] ....

For general help, type:

# splunk help

For a list of commands and options, type:

# splunk help commands

For Splunk with an Enterprise license, administration commands must be authenticated with a username and password. To authenticate for an entire session, type:

# splunk login

This command prompts you for a Splunk username and password. Use the same username and password for the CLI and Splunk Web. By default, the login is set to admin and the password is changeme.

Logout at any time by typing:

# splunk logout

To authenticate a single command, use the -auth parameter:

# splunk search foo -auth username:password

Note: the -auth string must be the last term in the CLI command.

Start/stop Splunk, check status

Ensure that you have added Splunk to your server host's path (as explained above, in "Adding Splunk to your shell path"). Otherwise you must use the ./splunk command.

Start the Server

From a shell prompt on the Splunk sever host, run this command:

# splunk start

Alternately, start either splunkd (to load back-end configuration) or Splunk Web (to load web configuration):

# splunk start splunkd

# splunk start splunkweb

Or restart Splunk (splunkd or Splunk Web) by running:

# splunk restart

# splunk restart splunkd

# splunk restart splunkweb

Stop the Server

To shut down Splunk, run this command:

# splunk stop

Also available for splunkd and Splunk Web:

# splunk stop splunkd

# splunk stop splunkweb

Check if Splunk is running

To check if Splunk is running, type this command at the shell prompt on the sever host:

# splunk status

You should see this output:

splunkd is running (PID: 3162).
splunk helpers are running (PIDs: 3164).
splunkweb is running (PID: 3216).

Or you can use ps to check for running Splunk processes:

# ps aux | grep splunk | grep -v grep

Solaris users, type -ef instead of aux:

# ps -ef | grep splunk | grep -v grep

Help

Help is available in several forms.

Help Options

• From the CLI:
  • Type # splunk help
• From Splunk Web:
  • Follow the help link in the upper right hand corner of Splunk Web.
  • Click the tutorial link from the Splunk Web landing page.
• Contact Splunk Support:
  • Many options are available on the support portal.
  • Email Splunk support.

Change defaults

Changing the admin default password

Splunk with an Enterprise license has a default administration account and password. It is highly recommended that you change the default. You can do this via Splunk's CLI or Splunk Web.

Note: CLI commands assume you have set a Splunk environment variable. If you have not, navigate to $SPLUNK_HOME/bin and run the ./splunk command.

via Splunk Web

• Log in as admin.

• Click Admin in the top-right of the interface:

• Click the Users tab:

• Under the Action heading click Edit.

• Type in the new information and click Save.

via Splunk CLI

The Splunk CLI command is:

# splunk edit user

Note: You must authenticate with the existing password before it can be changed. Log into Splunk via the CLI or use the -auth parameter.

For example:

# splunk edit user admin -password foo -auth admin:changeme

This command changes the admin password from changeme to foo.

Changing network ports

Splunk uses two ports. They default to:

• 8000 - HTTP or HTTPS socket for Splunk Web.
• 8089 - Splunkd management port. Used to communicate with the splunkd daemon. Splunk Web talks to splunkd on this port, as does the command line interface and any distributed connections from other servers.

via Splunk Web

• To change the port settings via Splunk Web, click the Admin link in the upper right hand corner:

• Then, click the Server tab. Click on Settings and change the port assignments:

via Splunk CLI

To change the port settings via the Splunk CLI, use the CLI command set.

# splunk set web-port 9000

This command sets the Splunk Web port to 9000.

# splunk set splunkd-port 9089

This command sets the splunkd port to 9089.

Changing the default Splunk server name

The Splunk server name setting controls both the name displayed within Splunk Web and the name sent to other Splunk Servers in a distributed setting.

The default name is taken from either the DNS or IP address of the Splunk Server host.

via Splunk Web

• To change this setting, click the Admin link in the upper right-hand corner:

• Then, click the Server tab and modify the Splunk Server name variable under the Settings tab:

via Splunk CLI

To change the server name via the CLI, type the following:

# splunk set servername foo

This command sets the servername to foo.

Changing the datastore location

The datastore is the top-level directory where the Splunk Server stores all indexed data, user accounts, and working files.

Note: If you change this directory, the server does not migrate old datastore files. Instead, it starts over again at the new location.

To migrate your data to another directory follow the instructions in Move an index.

via Splunk Web

• To change this setting, click the Admin link in the upper right hand corner:

• Then, click the Server tab and modify the Datastore path variable under the Settings tab:

via Splunk CLI

To change the server name via the CLI, type the following:

# splunk set datastore-dir /var/splunk/

This command sets the datastore directory to /var/splunk/.

Set minimum free disk space

The minimum free disk space setting controls how low disk space in the datastore location can fall before Splunk stops indexing.

Splunk resumes indexing when more space becomes available. For detailed information on how to manage Splunk server disk usage, see Disk usage.

via Splunk Web

• To change this setting, click the Admin link in the upper right-hand corner:

• Then, click the Server tab and modify the variable below Pause indexing if free disk space falls below under the Settings tab:

via Splunk CLI

To change the server name via the CLI, type the following:

# splunk set minfreemb 2000

This command sets the minimum free space to 2000 MB.

Find and index data

There are several methods to get your data into Splunk. Add data via Splunk Web, Splunk's CLI, a configuration file, with scripts, or 3rd party software.

Here's a brief intro on getting data into Splunk. For more detailed instructions, follow any of the links above.

Add Data

When you first log in to Splunk Web, you're provided a link to begin monitoring /var/log locally.

There are many other ways to specify data inputs in Splunk. This section is a high-level description of these techniques. For more detailed methods, see the data inputs section.

Monitor a file

When you specify a file to monitor, Splunk processes the entire file and then watches the file and processes additions to it. When you give a directory name to process, Splunk recursively searches all subdirectories looking for files resembling log files. You can explicitly include or exclude files with whitelisting and blacklisting.

Monitor files via Splunk Web

Manage your indexed files and add new files to your index from the Admin > Data Inputs: Files & Directories page.

1. To access the Admin page, click the Admin link in the upper right-hand corner.
The Admin page opens to the Server settings page.

2. From the navigation links on the left, click Data Inputs.
The Admin > Data Inputs: All page opens.

3. From the navigation links on the left or the table of input types, click Files & Directories.
The Admin > Data Inputs: FIles & Directories page opens.

4. Click New Input.
The Admin > Data Inputs: Files & Directories: New Input opens.

Monitor files via the CLI

Use the splunk add command. These commands assume you have set a Splunk environment variable. If you have not, you must navigate to $SPLUNK_HOME/bin and run the ./splunk command.

For example:

splunk add monitor /var/log/

This command monitors all files in /var/log/.

Crawl for inputs

Splunk 3.3 introduces the new crawl feature. Crawl your file system for potential logs and data to index. Read more about crawl in the data inputs sections.

Add more users

There are three default user roles and three different authentication methods to choose from when you set up Splunk with an Enterprise license. Users authenticate with Splunk's built-in system (described below), LDAP or scripted authentication (for third-party auth systems). Either method works with Splunk's roles system.

You must be logged in as a Splunk administrator to add or edit user accounts. The default Admin account password is changeme.

Note: Splunk with a Free license does not contain access control features. To access this page, you must run Splunk with an Enterprise license. For more information, read About Splunk licenses.

Lost admin password

If you lose the password to your admin account, contact Splunk Support for assistance.

Splunk local users

A Splunk Admin can create new users either via Splunk Web or Splunk's CLI. Users can be mapped to Splunk's default roles or any custom roles via authorize.conf

via Splunk Web

• To manage users accounts, click the Admin link in the upper right-hand corner:

• From the left hand navigation list, click Users.

• To add a new user, click the New User button.

• To edit existing accounts, click the Edit link under the Action heading.

• Enter the new or changed information and then click Save.

via Splunk CLI

From the CLI, use the following commands to add, edit, remove or list users.

add user username [-parameter value] ...
edit user username [-parameter value]  ...
remove user username [-parameter value]  ...
list user username [-parameter value]  ... 

Required (Default) Parameter:

username -- the name of the Splunk user account to manage.
full-name -- real name of user in quotes, for example "Nikola Tesla" - required when adding a new user.

Optional Parameters:

full-name -- real name of user in quotes, for example "Nikola Tesla"
password -- the password to set for the account
role -- either user, power or admin

Example

This example assumes you have set a Splunk environment variable. If you have not, you must navigate to $SPLUNK_HOME/bin and run the ./splunk command.

# splunk edit user newbie -password f8h2.$R -auth admin:d3cidr

This example authenticates as user "admin" to change the password for user "newbie."

Note: You must be logged in as an Admin to make any changes regarding users. Login either via the splunk login command, or use -auth, as exemplified above.

Start searching

Now you're ready to start using Splunk's search capabilities. Here are a few pages to help you start searching:

1. Search reference.
2. Search syntax.
3. Search tutorial.

Data Inputs

How input configuration works

Specify data inputs via Splunk's CLI or Splunk Web. You may also use inputs.conf (read more about how to configure inputs via inputs.conf). Changes made via Splunk Web or the Splunk CLI are written to $SPLUNK_HOME/etc/system/local/inputs.conf. Configure Windows inputs via inputs.conf as well.

Read on for a description of Splunk's data input types, including their purpose and behavior.

Files and directories

Data inputs can come from files and directories. Use monitor for continuous, non-destructive inputs from files and directories. Use batch input for one time, destructive file loading.

Monitor

Splunk's monitor behaves like the UNIX tail command. Specify a path to a file or directory and Splunk's monitor processor consumes any new input. If subdirectories exist within the specified directory, Splunk recursively examines them for log files. Splunk automatically adds any new files into the index.

In addition, when monitoring a file:

• Files can be opened or closed.
• Files or directories can be included or excluded through the use of file whitelists and blacklists.
• Upon restart, Splunk continues processing files from where it left off.
• Splunk detects log file rotation and does not process renamed files it has already indexed.

Note: If you are monitoring large files or archives, removing the input does not stop those files being indexed. This does stop files from being checked again, but all the initial content will be indexed. To stop all in-process data, you must restart the Splunk server.

When monitoring a directory:

• Set the sourcetype to Automatic. If the directory contains multiple files of different format, do not set a value for the source type manually. Manually setting a source type forces a single source type for all files in that directory.

Note: If the specified file or directory does not exist, the Splunk server will not check to see if it is created later. Splunk only checks for files and directories each time the Splunk server starts (or is restarted). So be sure to explicitly add new files as inputs when they become available if you don't want to restart the server. When monitoring a file, the entire path dir/filename must not exceed 1024 characters.

Batch upload

Upload files directly through Splunk Web. If necessary, Splunk unpacks and uncompresses files before indexing.

Use the batch processor at the CLI or in inputs.conf to load files once and destructively. By default, Splunk's batch processor is located in $SPLUNK_HOME/var/spool/splunk. For continuous, non-destructive loading of files, use monitor.

FIFO queues

A FIFO (AKA named pipe) is a queue of data maintained in memory. File systems can write log messages directly to a FIFO. Splunk then accesses the FIFO as though it were a file. When choosing the FIFO data input method, consider the following:

• FIFO queues can be a high performance method to get data into Splunk, since the system does not have the I/O burden of writing to both a file on disk and Splunk's index on disk (like monitor).

• FIFO access is very fast, but FIFOs are vulnerable when there are processing disruptions because the in-memory data may be lost.

• You do not have to worry about log file rotation and archiving because the data goes straight from the logging application into Splunk via the queue. There is nothing on disk to manage except for Splunk's index.

• Most syslog implementations can write to FIFO queues in addition to or instead of files.

• Other applications can write to FIFO queues instead of files by just changing a logfile name parameter from a filename to a defined FIFO queue.

Note: FIFOs are not recommended for application servers forwarding data to Splunk in a distributed setting. Monitor is a more reliable, stable method.

Network ports

UDP and TCP ports can feed data into the Splunk Server. UDP and TCP behave differently, and these behaviors affect how data arrives for processing. When configuring network ports, keep in mind that you cannot use ports lower than 1024 if you have not installed Splunk as root.

UDP

UDP is a best effort protocol. This means that you might not get messages if the network is clogged, or has a hiccup. You also can't be absolutely sure the messages aren't spoofed or altered in transit. UDP should be reserved for logging implementations focused on day-to-day troubleshooting rather than compliance or security.

Splunk with an Enterprise license can read directly from the network on any UDP port. Use this configuration to make Splunk act directly as a syslog server by reading remote syslog events on UDP port 514. You can also send any other UDP source of logging data, including SNMP.

Like all network streaming approaches, direct UDP input is higher performance than reading files from disk.

TCP

TCP is a reliable, high-performance choice for many situations, as this protocol includes checks to ensure that data has arrived safely and intact. Splunk with an Enterprise license can receive data on any TCP port, allowing Splunk to receive remote data from syslog-ng and other syslog implementations that use TCP for security or reliability. TCP is the foundation of Splunk's distributed data access.

Note: If the sending process buffers data such that events are broken into multiple pieces, Splunk may interpret the parts as multiple events. This is more likely if events are being generated intermittently, as there may be long pauses (several seconds or longer) between blocks of buffered data. If you notice truncated events, try forcing the process to send events atomically.

Scripted inputs

Configure Splunk to run shell commands on a schedule, and then index the output. For example:

• vmstat, iostat, netstat, and any other network or system status commands.
• SQL DBI
• HTTP and HTTPS requests
• SNMP

See Configure scripted inputs for details on how to set this up.

Indexing properties

Splunk can process any data, regardless of format and it automatically learns event boundaries, classifies events and sources, and finds timestamps. However, sometimes you may want to customize Splunk's default processing. Change processing settings and indexing properties in props.conf.

Some attributes within props.conf can be customized by defining new stanzas in other configuration files. For example, transforms.conf defines regex-based rules for extracting fields, correlating events and performing other transformations. Segmenters.conf and outputs.conf can also define attribute values referenced by props.conf.

Common use cases for custom indexing properties include:

• define additional indexed or extracted fields.
• overriding the value of host on a per-event basis, such as for syslog coming from multiple servers.
• correcting or optimizing how Splunk recognizes timestamps.
• correcting or changing how Splunk recognizes multi-line event boundaries.
• masking sensitive data in an event, such as social security numbers.
• changing how Splunk segments events in its index.

Configure inputs via Splunk Web

Follow these instructions to configure data inputs via Splunk Web. You can also configure data inputs via Splunk's CLI or a configuration file.

Configuration

• Click Admin in the upper right-hand corner of Splunk Web.

• Then click Data Inputs. Pick from the following input categories:

• All - Display and access to the following data inputs categories:
  • FIles & Directories - Display and access configuration of each path being read by Splunk.
  • FIFO Queues - Display and access configuration of each FIFO being processed by Splunk.
  • Network Ports - Display and access configuration for UDP and TCP ports.

Files and directories

• Click New Input to add an input.

• Under Data access, pick one of the following:
  • Monitor a directory
    • A file or directory continuously monitored for new input to index.
  • Upload a local file
    • Upload a file from your local machine into Splunk.
  • Index a file on the Splunk server
    • Copy a file on the server into Splunk via the sinkhole directory.

• Then, specify the pathname to the file or directory. If you select the Upload method, you are presented with a Browse... button.

• Under the Host heading, select the host name. You have several choices if you are using Monitor or Watch methods. Learn more about setting host value.

• Now set the Source Type. Source type is a default field added to events. Source type is used to determine processing characteristics such as timestamps and event boundaries. Learn more about setting source type.

• After specifying the source, host, and source type, click the Add button.

FIFO queues

• Click New Input to add an input.

• Under Source, type in the path to the FIFO.

• Under the Host heading, accept the default host name or enter a new hostname/IP address.

• Under the Source Type heading choose:
  • From List:
    • select one of the pre-defined source types from the drop-down list.
  • Manual:
    • label your own source type in the text box.

• Click the Add button.

Network ports

With a Splunk Enterprise license, you can set input from any TCP or UDP port.

• Click New Input to add an input.

• Under the Source heading, select Protocol of UDP or TCP.

• Accept the default port, 9998, or enter another port number.

• Specify whether this port should accept connections from all hosts or one host.
  • If you specify one host, enter the IP address of the host.

• Under the Source Type heading choose:
  • From List:
    • select one of the pre-defined source types from the drop-down list.
  • Manual:
    • label your own source type in the text box.

• Click the Add button.

Configure inputs via the CLI

In addition to using Splunk Web or editing inputs.conf, you can also configure data inputs at Splunk's Command Line Interface (CLI).

To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.

Note: If you get stuck, Splunk's CLI has built-in help. Access the main CLI help page by typing splunk help. Individual commands, objects, and parameters have their own help pages as well -- type splunk help [command | object | parameter name].

Data input commands

Use Splunk CLI data commands to perform actions on data sources. Commands and data sources take various parameters depending on the combination you use. There are five different commands to configure data inputs in the CLI:

Data input types

Specify a data input type to use with a data input command.

Input type parameters

Change the configuration of each data input type by defining the parameters below. Optional parameters have the syntax: -parameter value. Use only one -hostname, -hostregex or -hostsegmentnum per command.

monitor

Required parameters

Optional parameters

Example

monitor only writable files in /var/log/.

• Add /var/log/ as a data input.

./splunk add monitor /var/log/

• Edit the input you added to monitor only files that are still open for writing.

./splunk edit monitor /var/log -active-only true

FIFO

Required parameters

Optional parameters

Example

Configure a FIFO input and set the host and sourcetype field values for each event that's indexed.

• Add the FIFO input /var/run/syslogfifo and set the sourcetype field for each event from the source to equal "linux_messages_syslog".

./splunk add fifo /var/run/syslogfifo -sourcetype linux_messages_syslog

• Edit the input configuration to set the host field value for all events from the source to equal "web01".

./splunk edit fifo /var/run/syslogfifo -hostname web01

TCP/UDP

Required parameters

Optional parameters

Example

Configure a network input and set the sourcetype field value for each event that's indexed.

• Configure a UDP input to watch port 514 and set the sourcetype field value for each event to equal "syslog".

./splunk add udp 514 -sourcetype syslog

• Set the UDP input to use DNS to resolve the host name and set each event's host value to the resolved host name. You must have root access for ports under 1024. Use the auth parameter to authenticate in line.

./splunk edit udp 514 -resolvehost true -auth gwb:d3c1dr

Configure inputs via inputs.conf

Data inputs added via inputs.conf can be more detailed than inputs enabled via SplunkWeb or the CLI.

Note: To set dynamic indexing properties for inputs, use props.conf.

Configuration

Add your stanza to $SPLUNK_HOME/etc/system/local/inputs.conf. Specify an input type and any number of attribute/value pairs.

[<inputtype>://<path>]
attribute1 = val1
attribute2 = val2
...

Global settings

The following attributes/value pairs are valid for ALL input types

host = <string>

• Set the host value of your input to a static value.
• "host =" is automatically prepended to the value when this shortcut is used.

index = <string>

• Set the index where events from this input will be stored.
• "index =" is automatically prepended to the value when this shortcut is used.

source = <string>

• Set the source name of events from this input.
• "source =" is automatically prepended to the value when this shortcut is used.

sourcetype = <string>

• Set the sourcetype name of events from this input.
• "sourcetype =" is automatically prepended to the value when this shortcut is used.

queue = <string> (parsingQueue, indexQueue, etc)

• Specify where the input processor should deposit the events that it reads.
• Can be any valid, existing queue in the pipeline.

Input types

The following attributes/value pairs are valid for the specified input types only.

monitor

[monitor://<path>]

Note: To ensure new events are indexed when you copy over an existing file with new contents, set CHECK_METHOD = modtime in props.conf for the source. This checks the modtime of the file and re-indexes when it changes. Note that the entire file is indexed, which can result in duplicate events.

wildcards

You can use wildcards to specify your input path for monitored input. Use ... for paths and * for files.

• ... recurses through directories until the match is met. This means that /foo/.../bar will match foo/bar, foo/1/bar, foo/1/2/bar, etc. but only if bar is a file.
  • To recurse through a subdirectory, use another .... For example /foo/.../bar/....
• * matches anything in that specific path segment. It cannot be used inside of a directory path; it must be used in the last segment of the path. For example /foo/*.log matches /foo/bar.log but not /foo/bar.txt or /foo/bar/test.log.
• Combine * and ... for more specific matches:
  • foo/.../bar/* matches any file in the bar directory within the specified path.

Note: In Windows, you must use two backslashes \\ to escape wildcards. Regexes with backslashes in them are not currently supported for _whitelist and _blacklist in Windows.

Specifying wildcards results in an implicit _whitelist created for that stanza. The longest fully qualified path is used as the monitor stanza, and the wildcards are translated into regular expressions using the following map:

For example, if you specify

[monitor:///foo/bar*.log]

[monitor:///foo/]
_whitelist = bar[^/]*\.log

As a consequence, you can't have multiple stanzas with wildcards for files in the same directory.

For example:

[monitor:///foo/bar_baz*]
[monitor:///foo/bar_qux*]

[monitor:///foo]
_whitelist = (bar_baz[^/]*|bar_qux[^/]*)

Note: To set any additional attributes (such as sourcetype) for multiple whitelisted/blacklisted inputs that may have different attributes, use props.conf

additional attributes

host_regex = <regular expression>

• If specified, the regex will extract host from the filename of each input.
• Specifically, the first group of the regex is used as the host.
• If the regex fails to match, the default "host =" attribute is used.

host_segment = <integer>

• If specified, the '/' separated segment of the path will be set as host.
• If the value is not an integer, or is less than 1, the default "host =" attribute is used.

crcSalt = <string>

• If set, this string will be added to the CRC.
• This can be used to force Splunk to consume files that have matching CRCs.
• If set to "crcSalt = <SOURCE>", then the full source path is added to the CRC.

followTail = 0|1

• If set to 1, monitoring will begin at the end of the file (like tail -f).
• This only applies to files the first time they are picked up.
• After that, Splunk's internal file position records keep track of the file.

_whitelist = <regular expression>

• If set, files from this path are monitored only if they match the specified regex.

_blacklist = <regular expression>

• If set, files from this path are NOT monitored if they match the specified regex.

Batch

[batch://<path>]
move_policy = sinkhole.

• One time, destructive input.
• For continuous, non-destructive inputs, use monitor.
• Important = You must set move_policy = sinkhole. This loads the file destructively. Do not use this input type for files you do not want to consume destructively.

Additional attributes

host_regex (see monitor)
host_segment (see monitor)

Note: source = <string> and <KEY> = <string> are not used by batch.

TCP

[tcp://<remote server>:<port>]

• Configure Splunk to listen to <remote server> on <port>.
• If <remote server> is blank, this stanza matches all connections on the specified port.

Additional attributes

connection_host = [ip | dns]

• If "ip" is set, the TCP input processor will rewrite the host with the ip address of the remote server.
• If "dns" is set, the host will be rewritten with the DNS entry of the remote server.
• Defaults to ip.

UDP

[udp://:<port>]

• Similar to TCP, except that it listens on a UDP port.

Additional attributes

_rcvbuf = <int>

• Specify the receive buffer for the UDP port.
• If the value is 0 or negative, it will be ignored.
• The default value for Splunk is 1MB (the default in the OS varies).

no_priority_stripping = <true/false>

• Stops the syslog priority from being stripped from inputs.

FIFO

[fifo://<path>]

• This directs Splunk to read from a FIFO at the specified path.

Scripted Input

[script://<cmd>]

• Will run the command "cmd" at a configured interval and index the output.
• The command must reside in $SPLUNK_HOME/etc/apps/$APPLICATION/bin directory.

interval = <integer>

• How often to execute the specified command (in seconds).
• If interval is not specified, it will default to 60 seconds.

passAuth = <username>

• User that this script should be run as.
• If a username is provided, Splunk generates an auth token for that user and passes it to the script via stdin.

Examples

Monitor

[monitor:///apache/.../logs]

This loads anything in /apache/foo/logs or /apache/bar/logs, etc.

[monitor:///apache/*.log]

This loads anything in /apache/ that ends in .log.

Batch

[batch://system/flight815/*]
move_policy = passive_symlink

This example batch loads all files from the directory /system/flight815/.

TCP

[tcp://<remote server>:<port>]

This configures Splunk to listen on the specified port. If a connection is made from <remote server>, this stanza is used to configure the input.
If <remote server> is blank, this stanza matches all connections on the specified port.

UDP

[udp://<remote-server>:<port>]

FIFO

[fifo://<path>]

Configure inputs for Windows

You can configure the Windows version of Splunk to index your Windows Application, System, and Security event logs, as well as monitor and index changes to your registry and set up WMI data input. This functionality is not yet exposed in Splunk Web or the CLI.

When you run the Splunk Windows installer, you are given the option to set up indexing and/or monitoring for the event logs, the registry, and for WMI. If you choose to do this, the default values for these settings are assumed. Once you have completed the installation, you can then make changes to the default values set by the installation process. Depending on

If you want to make changes to the default values, edit a copy of inputs.conf in $SPLUNK_HOME\etc\system\local\. You only have to provide values for the parameters you want to change within the stanza. For more information about how to work with Splunk configuration files, refer to How do configuration files work?

Configure indexing for Windows event logs

The settings for which event logs to index are in the following stanza in inputs.conf:

# Windows platform specific input processor.
[WinEventLog:Application] 
[WinEventLog:Security]
[WinEventLog:System]

To disable indexing for an event log, use # to comment it out in this stanza in $SPLUNK_HOME\etc\system\local\inputs.conf.

Configure Windows registry monitoring input

The global settings for Windows registry monitoring are in the following stanza in inputs.conf:

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py]
interval = 60
sourcetype = WinRegistry
source = WinRegistry
disabled = 0

Note: The Splunk registry input monitoring script (splunk-regmon.py) is configured as a scripted input. Do not change this value.

• source: labels these events as coming from the registry.
• sourcetype: assigns these events as registry events.
• interval: specifies how frequently to poll the registry for changes, in seconds.
• disabled: indicates whether the feature is enabled. Set this to 1 to disable this feature.

The Windows registry monitoring functionality uses two additional configuration files that are described in Windows registry input. You may wish to review this information before proceeding.

Note: You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf. Regexes with backslashes in them are not currently supported when specifying paths to files.

WMI input

Splunk supports WMI (Windows Management Interface) data input for agentless access to Windows performance data and event logs. This means you can pull event logs from all the Windows servers and desktops in your environment without having to install anything on those machines.

The Splunk WMI data input can connect to multiple WMI providers and pull data from them. The WMI data input runs as a separate process (splunk-wmi.exe) on the Splunk server. It is configured as a scripted input in etc/system/default/inputs.conf.

Note: This feature is NOT enabled by default.

Security and remote access considerations

Splunk requires privileged access to index many Windows data sources, including WMI, Event Log, and the registry. This includes both the ability to connect to the box, as well as permissions to read the appropriate data once connected.

* There are several things to consider:

• For remote data collection via WMI, the user the Splunk service is running as must have sufficient OS privileges to access the WMI resources you wish to poll. At a minimum, this account requires the Profile System Performance privilege and the Access this Computer from the Network privilege on every machine you wish to poll. The simplest way to ensure this is to add this user to the Performance Log Users and Distributed COM Users Domain groups.
• You must enable DCOM for remote machine access, and it must be accessible to the user Splunk is running as. See the Microsoft topic about "Securing a Remote WMI Connection" for more information. Adding the user to the Distributed COM Users local group is the fastest way to enable this permission.
• The WMI namespace that Splunk is accessing (most commonly root\cimv2) must have proper permissions set. Enable the following permissions on the WMI tree at root for the Splunk user: Execute Methods, Enable Account, Remote Enable, and Read Security. See the Microsoft how-to "HOW TO: Set WMI Namespace Security in Windows Server 2003" for more information.
• The firewall, if enabled, must allow access for WMI. If you are using the Windows Firewall, the exceptions list explicitly lists WMI. You must set this exception for both the originating and the remote machine. See the Microsoft topic about "Connecting to WMI Remotely Starting with Vista" for some details.

Test access to WMI

To access WMI data, Splunk must run as a user with permissions to perform remote WMI connections. This user name must be a member of an Active Directory domain and must have appropriate privileges to query WMI. Both the Splunk server making the query and the target systems being queried must be part of this Active Directory domain.
Note: If you installed Splunk as the LOCAL SYSTEM user, WMI remote authentication will not work; this user has null credentials and Windows servers normally disallow such connections.

The following steps explain how to test the configuration of the Splunk server and the :

1. Log into the machine Splunk runs on as the user Splunk runs as.
2. Click Start -> Run and type wbemtest. The wbemtest application starts.
3. Click Connect and type \\<server>\root\cimv2, replacing <server> with the name of the remote server. Click Connect. If you are unable to connect, there is a problem with the authentication between the machines.
4. If you are able to connect, click Query and type select * from win32_service. Click Apply. After a short wait, you should see a list of running services. If this does not work, then the authentication works, but the user Splunk is running as does not have enough privileges to run that operation.

Configure WMI input

Look in $SPLUNK_HOME/etc/system/default/wmi.conf to see the default values for the WMI input. If you want to make changes to the default values, edit a copy of wmi.conf in $SPLUNK_HOME/etc/system/local/. You only have to provide values for the parameters you want to change for a given type of data input.

Refer to How configuration files work for more information about how Splunk uses configuration files, but be sure to use the new directory structure for the correct directory paths.

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 2
result_queue_size = 1000
checkpoint_sync_interval = 2
heartbeat_interval = 500

[WMI:AppAndSys]
server = foo, bar
interval = 10
event_log_file = Application, System, Directory Service
disabled = 0

[WMI:LocalSplunkWmiProcess]
interval = 5
wql = select * from Win32_PerfFormattedData_PerfProc_Process where Name = "splunk-wmi"
disabled = 0

The [settings] stanza specifies runtime parameters. The entire stanza and every parameter within it are optional. If the stanza is missing, Splunk assumes system defaults.

• These parameters control how the agent reconnects to a given WMI provider when an error occurs. All times are in seconds:
  • initial_backoff: how much time to wait the first time after an error occurs before trying to reconnect. Thereafter, if errors keep occurring, the wait time doubles, until it reaches max_backoff.
  • max_backoff: the maximum amount of time to wait before invoking max_retries_at_max_backoff.
  • max_retries_at_max_backoff : if the wait time reaches max_backoff, try this many times at this wait time. If the error continues to occur, Splunk will not reconnect to the WMI provider in question until the Splunk services are restarted.
• result_queue_size: size of the queue that ensures that WMI providers don't end up blocking while waiting for data to be written to the output. Results received from the WMI providers are put into this queue.
• checkpoint_sync_interval: minimum wait time for state data (event log checkpoint) to be written to disk. In seconds.
• heartbeat_interval: the thread that manages the connection to WMI providers will execute at this interval. In milliseconds.

You can specify two types of data input: event log, and raw WQL (WMI query language) The event log input stanza contains the event_log_file parameter, and the WQL input stanza contains wql.

The common parameters for both types are:

• server: a comma-separated list of servers from which to pull data. If this parameter is missing, Splunk assumes the local machine.
• interval : how often to poll for new data, in seconds. Required.
• disabled: indicates whether this feature is enabled or disabled. Set this parameter to 1 to disable WMI input into Splunk.

WQL-specific parameters:

• namespace: specifies the path to the WMI provider. The local machine must be able to connect to the remote machine using delegated authentication. This parameter is optional. If you don't specify a path to a remote machine, Splunk will connect to the default local namespace (\root\cimv2), which is where most of the providers you are likely to query reside. Microsoft provides a list of namespaces for Windows XP and later versions of Windows.
• wql: provides the WQL query. The example above polls data about a running process named splunkd every 5 seconds.

Event log-specific parameter:
event_log_file: specify a comma-separated list of log files to poll in the event_log_file parameter. File names that include spaces are supported, as shown in the example.

Source and source type for WMI data

All events are indexed in Splunk with a source of wmi.

• For event log data, the source type is set to "WinEventLog:<name of log file>" (for example WinEventLog:Application).
• For WQL data, the the source type is set to the name of the config stanza (for example, for a stanza named [WMI:LocalSplunkdProcess], the field is set to WMI:LocalSplunkProcess).

The host is identified automatically from the data received.

Windows registry input

Splunk supports the capture of Windows registry settings and lets you monitor changes to the registry. You can know when registry entries are added, updated, and deleted.
When a registry entry is changed, Splunk captures the name of the process that made the change and the key path from the hive to the entry being changed.

The Windows registry input monitor application runs as a process called splunk-regmon.exe.

Warning: Do not stop or kill the splunk-regmon.exe process manually; this could result in system instability. To stop the process, stop the Splunk server process from the Windows Task Manager or from within Splunk Web.

How it works

Because it's possible for Windows registries to be extremely dynamic (thereby generating a great many events), Splunk provides a two-tiered configuration for fine-tuning the filters that are applied to the registry event data coming into Splunk.

Splunk Windows registry monitoring uses two configuration files to determine what to monitor on your system, sysmon.conf and regmon-filters.conf, both located in $SPLUNK_HOME/etc/system/local/. These configuration files work as a hierarchy:

• The sysmon.conf file contains global settings for which event types (adds, deletes, renames, and so on) to monitor, which regular expression filters from the regmon-filters.conf file to use, and whether or not Windows registry events are monitored at all.
• The regmon-filters.conf file contains the specific regular expressions you create to refine and filter the hive key paths you want Splunk to monitor.

sysmon.conf contains only one stanza, where you specify:

• event_types: the superset of registry event types you want to monitor. Can be delete, set, create, rename, open, close, query.
• active_filters: the list of regular expression filters you've defined in regmon-filters.conf that specify exactly which processes and hive paths you want Splunk to monitor. This is a comma-separated list of the stanza names from regmon-filters.conf. You can use wildcards, which can be useful in case you want to name and invoke groups of related or similar filters based on a naming convention. If a given filter is not named in this list, it will not be used, even if it is present in regmon-filters.conf. This means you can turn on and off monitoring for various filters or groups of filters as desired.
• disable: whether to monitor registry settings changes or not. Set this to 0 to disable Windows registry monitoring altogether.

Each stanza in regmon-filters.conf represents a particular filter whose definition includes:

• proc: a regular expression containing the path to the process or processes you want to monitor
• hive: a regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
  • \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
  • \\REGISTRY\\USER\\ maps to HKEY_CURRENT_USER or HKCU
  • \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or {{HKLM
  • \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
• type: the subset of event types to monitor. Can be delete, set, create, rename, open, close, query. The values here must be a subset of the values for event_types that you set in sysmon.conf.
• baseline: whether or not to capture a baseline snapshot for that particular hive path. 0 for no and 1 for yes.
• baseline interval: how long Spunk has to have been down before re-taking the snapshot, in seconds. The default value is 24 hours.

Get a baseline snapshot

When you install Splunk, you're given the option of recording a baseline snapshot of your registry hives the next time Splunk starts. By default, the snapshot covers the entirety of the user keys and machine keys hives. It also establishes a timeline for when to retake the snapshot; by default, if Splunk has been down for more than 24 hours since the last checkpoint, it will retake the baseline snapshot. You can customize this value for each of the filters in regmon-filters.conf by setting the value of baseline interval.

Note: Executing a splunk clean all -f deletes the current baseline snapshot.

What to consider

When you install Splunk on a Windows machine and enable registry monitoring, you specify which major hive paths to monitor: key users (HKEY) and/or key local machine (HKLM). Depending on how dynamic you expect the registry to be on this machine, checking both could result in a great deal of data for Splunk to monitor. If you're expecting a lot of registry events, you may want to specify some filters in regmon-filters.conf to narrow the scope of your monitoring immediately after you install Splunk and enable registry event monitoring but before you start Splunk up.

Similarly, you have the option of capturing a baseline snapshot of the current state of your Windows registry when you first start Splunk, and again every time a specified amount of time has passed. The baselining process can be somewhat processor-intensive, and may take several minutes. You can postpone taking a baseline snapshot until you've edited regmon-filters.conf and narrowed the scope of the registry entries to those you specifically want Splunk to monitor.

Configure Windows registry input

Look in $SPLUNK_HOME/etc/system/default/inputs.conf to see the default values for Windows registry input. They are also shown below.
If you want to make changes to the default values, edit a copy of inputs.conf in $SPLUNK_HOME/etc/system/local/. You only have to provide values for the parameters you want to change within the stanza. For more information about how to work with Splunk configuration files, refer to How do configuration files work?

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py]
interval = 60
sourcetype = WinRegistry
source = WinRegistry
disabled = 0

• source: labels these events as coming from the registry.
• sourcetype: assigns these events as registry events.
• interval: specifies how frequently to poll the registry for changes, in seconds.
• disabled: indicates whether the feature is enabled. Set this to 1 to disable this feature.

Configure crawl

Use crawl to search your filesystem for new data sources to add to your index. Configure one or more types of crawlers in crawl.conf to define the type of data sources to include in or exclude from your results.

Configuration

Edit crawl.conf to configure one or more crawlers that browse your data sources when you run the crawl command. Define each crawler by specifying values for each of the crawl options. Enable the crawler by adding it to crawlers_list.

Crawl logging

The crawl command produces a log of crawl activity that's stored in $SPLUNK_HOME/var/log/splunk/crawl.log. Set the logging level with the logging key in the [default] stanza.

Example:
Set the logging level of crawl to warn.

[default]
logging=warn

Enable crawlers

Enable a crawler by listing the crawler specification stanza name in the crawlers_list key of the [crawlers] stanza.

Use a comma-separated list to specify multiple crawlers.

Example:
Enable crawlers that are defined in the stanzas: [file_crawler], [port_crawler], and [db_crawler].

[crawlers]
crawlers_list= file_crawler, port_crawler, db_crawler

Define crawlers

Define a crawler by adding a definition stanza in crawl.conf. You can add additional crawler definitions by adding additional stanzas.

Example crawler stanzas in crawl.conf:

[Example_crawler_name]
....

[Another_crawler_name]
....

Add key/value pairs to crawler definition stanzas to set a crawler's behavior. The following keys are available for defining a file_crawler:

Example

A simple file_crawler may look like:

[simple_file_crawler]
bad_directories_list= bin, sbin, boot, mnt, proc, tmp, temp, home, mail, .thumbnails, cache, old
bad_extensions_list= mp3, mpg, jpeg, jpg,  m4, mcp, mid
bad_file_matches_list= *example*, *makefile, core.*
packed_extensions_list= gz, tgz, tar, zip
collapse_threshold= 10
days_sizek_pairs_list= 3-0,7-1000, 30-10000
big_dir_filecount= 100
index=main
max_badfiles_per_dir=100

Scripted inputs

By configuring inputs.conf, Splunk can also accept events from scripts. Scripted input is useful for command-line tools, such as vmstat, iostat, netstat, top, etc.

Note: Currently, scripted inputs do not get bundled in the deployment server. In the future, Splunk will support this behavior. For now, use your preferred configuration automation tool to push your script directory to your server classes.

Configuration

• Create a new directory under $SPLUNK_HOME/etc/apps/.
  • For example, make a directory called scripts/.
  • This is the location of your scripts application directory.

• In your new scripts/ directory, create a directory bin/ to contain the actual script.

Note: Your script must be in the bin/ directory underneath your scripts/ directory.

• Add the following lines to $SPLUNK_HOME/etc/apps/scripts/inputs.conf file:

[script://$SCRIPT] 
interval = X 
index = {main, $YOUR_INDEX}
sourcetype = {iostat, vmstat, etc}  OPTIONAL
source = {iostat, vmstat, etc} OPTIONAL
disabled = false

Variables

• script is the fully-qualified path to the location of the script
• interval is in seconds
  • for constant data streams, enter 0
  • for one-shot data streams, enter -1
    • Note: this will re-run each time the splunk daemon restarts
• index can be any index in your Splunk instance
• disabled is a boolean value that can be set to true if you want to disable the input
• sourcetype and source can be any value you'd like. Optional.

Example

This example shows the use of the UNIX top command as a data input source.

• Start by creating a new application directory. We will use scripts/:

$ mkdir $SPLUNK_HOME/etc/apps/scripts

• All scripts should be run out of a bin/ directory inside your application directory:
• $ mkdir $SPLUNK_HOME/etc/apps/scripts/bin

• This example uses a small shell script top.sh:

$ #!/bin/sh
 top -bn 1  # linux only - different OSes have different paramaters

• Make sure the script is executable:

chmod +x $SPLUNK_HOME/etc/apps/scripts/bin/top.sh

• Test that the script works by running it via the shell:

$SPLUNK_HOME/etc/apps/scripts/bin/top.sh

• The script should have sent one top output.

• Add the script entry to inputs.conf in {{$SPLUNK_HOME/etc/apps/scripts}:

[script:///opt/splunk/etc/apps/scripts/bin/top.sh]
interval = 5                # run every 5 seconds
sourcetype = top        # set sourcetype to top
source = script://./bin/top.sh   # set source to name of script

Note:

• You must restart your Splunk server for these changes to take effect.
• You may need to modify props.conf:
  • By default Splunk breaks the single top entry into multiple events.
  • The easiest way to fix this problem is to tell the Splunk server to break only before something that does not exist in the output.
  • For example, adding the following to $SPLUNK_HOME/etc/apps/scripts/props.conf forces all lines into a single event:

[top]
BREAK_ONLY_BEFORE = GobblyGook

• Since there is no timestamp in the top output we need to tell Splunk to use the current time. This is done in props.conf by setting:

DATETIME_CONFIG = CURRENT

Configure whitelist and blacklist rules

When specifying inputs to monitor in inputs.conf, you can use whitelist and blacklist rules to explicitly tell Splunk to consume ONLY certain files or consume everything EXCEPT certain files. When you define a whitelist, Splunk indexes ONLY the files in that list. Alternately, when you define a blacklist, Splunk ignores the files in that list and consumes everything else. These settings are independent of each other.

Whitelist and blacklist rules use regular expression syntax to define the match on the file name. Also, your rules must be contained within a configuration stanza, for example [monitor://<path>]); those outside a stanza (global entries) are ignored.

Important: Define whitelist and blacklist entries with exact regex syntax; the "..." wildcard is not supported.

Whitelist (allow) files

To define the files you want Splunk to exclusively index, add the following line to your monitor stanza in $SPLUNK_HOME/etc/system/local/inputs.conf:

_whitelist = $YOUR_CUSTOM_REGEX

For example, if you want Splunk to monitor only files with the .log extension:

[monitor:///mnt/logs]
    _whitelist = .*\.log

Blacklist (ignore) files

To define the files you want Splunk to exclude from indexing, add the following line to your monitor stanza in $SPLUNK_HOME/etc/system/local/inputs.conf:

_blacklist = $YOUR_CUSTOM_REGEX

For example, if you want Splunk to ignore and not monitor only files with the .txt extension:

[monitor:///mnt/logs]
    _blacklist = .*\.txt

If you want Splunk to ignore and not monitor all files with either the .txt extension or the .gz extension:

[monitor:///mnt/logs]
    _blacklist = \.(txt|gz)$

Verify your lists

To verify that your whitelist and blacklist rules are configured properly, run the listtails utility found in your $SPLUNK_HOME/bin directory. listtails reads in the configuration of inputs.conf in all application directories, scans the directories and shows you the exact list of files that Splunk will monitor when you restart.

Note: The listtails utility requires you to first run the command source setSplunkEnv.

Log file rotation

Splunk recognizes when a file that it is monitoring (such as /var/log/messages) has been rolled (/var/log/messages1) and will not read the rolled file in a second time.

Note: Splunk does not recognize tar or gzip files produced by logrotate. You can explicitly set blacklist rules for .tar or .gz to prevent Splunk from reading these files as new logfiles, or you can configure logrotate to move these files into a directory you have not told Splunk to read.

How log rotation works

The monitoring processor picks up new files and reads the first and last 256 bytes of the file. This data is hashed into a begin and end cyclic redundancy check (CRC). Splunk checks new CRCs against a database that contains all the CRCs of files Splunk has seen before. The location Splunk last read in the file is also stored.

There are three possible outcomes of a CRC check:

1. There is no begin and end CRC matching this file in the database. This is a new file and will be picked up and consumed from the start. Splunk updates the database with new CRCs and seekptrs as the file is being consumed.

2. The begin CRC is present and the end CRC are present but the size of the file is larger than the seekPtr Splunk stored. This means that, while Splunk has seen the file before, there has been information added to it since it was last read. Splunk opens the file and seeks to the previous end of the file and starts reading from there (so Splunk will only grab the new data and not anything it has read before).

3. The begin CRC is present but the end CRC does not match. This means the file has been changed since Splunk last read it and some of the portions it has read in already are different. In this case there is evidence that the previous data Splunk read from has been changed. In this case Splunk has no choice but to read the whole file again.

Strip syslog headers before processing

Remove syslog headers from non-syslog events that have been passed through syslog to Splunk, such as log4j events from a log4j-to-syslog appender. Splunk ships with a regex to do this for you in $SPLUNK_HOME/etc/system/default/transforms.conf. Overwrite or change any of the default attributes and values by creating a transforms.conf in $SPLUNK_HOME/etc/system/local/ or your own custom bundle directory. For more information on configuration files in general, see how configuration files work.

Configuration

transforms.conf

In $SPLUNK_HOME/etc/system/default/transforms.conf:

# This will strip out date stamp, host, process with pid and just get the
# actual message
[syslog-header-stripper-ts-host-proc]
REGEX         = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s.*?:\s(.*)$
FORMAT        = $1
DEST_KEY      = _raw

Additional strippers found in this file include:

• syslog-header-stripper-ts-host-proc This will strip out date stamp, host, process with pid and just get the actual message
• syslog-header-stripper-ts-host This will strip the syslog header (date stamp and host) from a syslog event. This is especially useful in allowing Splunk to extract the correct hostname if you are using hostname chaining
• syslog-header-stripper-ts This will just strip the time stamp

props.conf

In $SPLUNK_HOME/etc/sstem/local/props.conf:

[syslog]
TRANSFORMS= syslog-header-stripper-ts-host-proc

This example turns on the built-in regex for remote syslog inputs.

[syslog]
TRANSFORMS-strip-syslog= syslog-header-stripper-ts-host-proc

Add a name onto the TRANSFORMS declarations. There are no special keywords. TRANSFORMS-the-cake-is-a-lie works just as well.

Example

If you have a central syslog server (syslog1.idkfa.kom) receiving events from multiple servers, you can forward the events to a Splunk Server and index them based on the original host (doom1.idkfa.kom) and original timestamp (07:37:15). For this example the events come to Splunk via UDP port 514 and look like this:

Mar 30 14:29:35 syslog1.idkfa.kom Mar 30 07:37:15 doom1.idkfa.kom sshd[7728]: Connection closed by ::ffff:192.168.1.101

Create this configuration stanza in props.conf:

[syslog]
TIME_PREFIX = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s
TRANSFORMS-strip-syslog= syslog-header-stripper-ts-host

Determine what files Splunk is monitoring

When you configure inputs, you may want to know what specific files Splunk is monitoring prior to starting Splunk for indexing. This is especially true when configuring whitelisting/blacklisting rules. Splunk includes a listtails utility which reads in the configuration of inputs.conf in all applications, scans your directories and shows you the exact list of files what Splunk will monitor when you restart. This allows you to make changes to inputs.conf and verify if the blacklist/whitelist filtering is correct.

Run listtails

To use the listtails utility:
1. Navigate to $SPLUNK_HOME/bin/.
2. Run the command ./splunk cmd listtails.

Index SNMP events with Splunk

The most effective way to index SNMP events is to use snmptrapd to write them to a FIFO.

First, configure snmptrapd to write to a FIFO rather than to a file on disk.

# mkfifo /var/run/snmp-fifo
# snmptrapd -o /var/run/snmp-fifo

Then, configure the Splunk Server to add the FIFO as a data input.

log4j

The best way to index log4j files is to set up a standard log4j-syslog appender on your log4j host. Then configure the Splunk server's properties to strip the syslog header prior to other processing, so Splunk doesn't think the logs are single-line syslog entries.

See the entry on stripping syslog headers for instructions on stripping the syslog headers.

Data Distribution

How data distribution works

Splunk servers running on any supported OS platform can forward data to one another (as well as to other systems) in real time. This setup allows data inputs gathered on one Splunk server in a specific environment to be sent to another Splunk server for indexing and search. Also, Splunk servers can forward data to groups of other Splunk servers, to enable horizontal scaling via clustered indexing. Splunk servers can also clone data to multiple groups of other Splunk servers to provide for data redundancy in high availability environments.

Data distribution covers all configurations in which one Splunk server (the forwarder) is sending data to one or more Splunk servers (the receivers) prior to being indexed. The forwarder can also index data locally.

Note: All Splunk instances in a distributed cluster must be running the same version of Splunk, although they can be running on any variety of support OSes. Each receiving Splunk server must have a unique, valid Splunk Enterprise license.

Forwarding

Forwarding is the simplest setup for forwarding and receiving. Forwarding refers to any server that sends data to another server for indexing.

Learn how to enable forwarding and receiving.

Routing

With routing enabled, the forwarder matches conditions based on patterns in the events themselves to selectively send some events to one other server and other events to another server.

Learn how to enable data routing.

Cloning

Cloning refers specifically to a forwarder sending every event to two or more other Splunk servers to provide for data redundancy.

Learn how to enable cloning.

Data balancing

Data balancing refers to data that is sent in a balanced fashion to groups of servers. This set up supports large volumes of data. All of the forwarders send data to some number of receivers, and the receivers index data in a round-robin fashion.

Data balanced target groups are made up of multiple servers. Learn how to set up data balancing.

Buffering during data balancing

If a server becomes inaccessible during data balancing, Splunk continues to send events to all accessible servers.

Eventually, Splunk stops trying to send to an unresponsive server, and notes that the server has gone off line. If all servers are inaccessible, Splunk writes to a buffer on the forwarder's side.

Data buffering values are set in outputs.conf on the forwarding side.

Target groups

Rather than output data to one receiver, forwarders can send to target groups. Target groups are made of one or more receiving servers:

[target group 1] 
server 1, server 2

[target group 2]
server 3

[target group 3]
server 4, server 5, server 6

Cloning sends every event to all target groups.

Routing sends specific events to one target group and different events to other target groups.

You can also set up default groups, which receive all the data not sent to target groups. If more than one group is specified, Splunk clones events to all listed default groups.

defaultGroup=<groupname1>,<groupname2>...

Learn more about target group configuration.

Security

Any Splunk server can route some or all of its incoming data in real time to other Splunk servers and to other systems via TCP, either in the clear text or via SSL. Learn how to set up SSL.

Send to 3rd party systems

By default, data is routed between Splunk servers as cooked data -- meaning events have been parsed and tagged. However, Splunk can be configured to either receive or send raw data in order to interact with third party systems.

Learn how to configure Splunk to send to or receive from third party software.

Distributed search

Splunk servers can distribute search requests to other Splunk servers and merge the results back to the user. Distributed search combines with balanced indexing to provide horizontal scaling, allowing you to search and index hundreds of gigabytes or terabytes per day. Additionally, distributed search allows select users to correlate data across different data silos.

Learn more about distributed search.

Configuration files for data distribution

• The forwarder uses the TCP output processor, configured by outputs.conf.

• Configure the receiver via inputs.conf.

• Conditions for routing are established in transforms.conf and linked to specific sources, source types or hosts in props.conf.

Enable forwarding and receiving

Set up forwarding and receiving via Splunk Web or Splunk's CLI. To set up more sophisticated forwarding configurations, see this page on configuring outputs.conf.

You can set up two types of forwarders: standard and lightweight. If you configure a standard forwarder, it indexes the data before forwarding it to the receiving Splunk host. When you configure a lightweight forwarder, it sends un-indexed data to the receiving Splunk host. If you are using both types of forwarders, you must specify a different port for each type.

You must set up receiving before setting up forwarding. This way, the Splunk receiving host is prepared for the forwarded data.

Once you have enabled a Splunk instance to forward or receive data, you can configure additional settings, such as routing, cloning, filtering or data balancing. Configuration changes are done on the forwarder side, on the host that is reading the data input.

Note: An Enterprise license is required on each receiver node. Splunk instances that are forwarding can continue to use the free license. For customers with a valid support agreement that require authentication for all Splunk instances please contact support and request a forwarder license. This special forwarder license can be re-used on all forwarding instances.

Receiving

via Splunk Web

• Navigate to Splunk Web on the server that will receive data for indexing.

• Click the Admin link in the upper right hand corner of Splunk Web.

• Select the Distributed tab.

• Click Receive Data.

• To begin receiving data:
  • Set the radio button to Yes.
  • Specify the port that you want Splunk to listen on. This is also the port that Splunk instances use to forward data to this server.
  • Click the Save button to commit the configuration. You must restart the server for your changes to take effect.

via the CLI

Enable receiving from Splunk's CLI. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. Also, add Splunk to your path and use