408
Splunk Admin Manual Version: 3.4.6 Generated: 3/19/2010 06:37 am Copyright Splunk, Inc. All Rights Reserved

Splunk Admin Manualdocshare02.docshare.tips/files/22651/226514302.pdf · 2017. 1. 22. · Splunk takes all data from inputs and sends it to an indexing pipeline. Data is then broken

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

  • Splunk Admin Manual

    Version: 3.4.6

    Generated: 3/19/2010 06:37 amCopyright Splunk, Inc. All Rights Reserved

  • Table of ContentsAbout the Splunk Admin Manual........................................................................................................1

    What's in the Admin Manual?......................................................................................................1

    How Splunk Works..............................................................................................................................2 Overview of Splunk....................................................................................................................2

    Getting Started.....................................................................................................................................9 Start Splunk................................................................................................................................9 Administration basics...............................................................................................................10 Change defaults.......................................................................................................................13 Find and index data..................................................................................................................17 Add more users........................................................................................................................18 Start searching.........................................................................................................................20

    Data Inputs.........................................................................................................................................21 How input configuration works.................................................................................................21 Files and directories.................................................................................................................25 Network ports...........................................................................................................................33 Encrypted Inputs......................................................................................................................37 FIFO inputs..............................................................................................................................38 Scripted inputs.........................................................................................................................41 Whitelist and blacklist rules......................................................................................................43 Crawl........................................................................................................................................45 Windows inputs........................................................................................................................47 Windows Management Instrumentation (WMI) input...............................................................49 Windows registry input.............................................................................................................52 Windows process monitoring...................................................................................................55

    Data Distribution................................................................................................................................57 How data distribution works.....................................................................................................57 Enable forwarding and receiving..............................................................................................61 Configure target groups in outputs.conf...................................................................................64 Set up routing...........................................................................................................................68 Route specific events to different queues................................................................................70 Route specific events to an alternate index.............................................................................73 Set up SSL for forwarding and receiving..................................................................................75 Enable cloning..........................................................................................................................77 Set up data balancing..............................................................................................................77 Route data to third-party systems............................................................................................79

    Indexing..............................................................................................................................................81 How indexing works.................................................................................................................81 Index multi-line events.............................................................................................................83 Configure segmentation...........................................................................................................85 Configure custom segmentation for a host, source, or source type.........................................87

    i

  • Table of ContentsIndexing

    Mask sensitive data in an event...............................................................................................88 Configure character set encoding............................................................................................90 Dynamic metadata assignment................................................................................................91

    Timestamps........................................................................................................................................93 How Splunk extracts timestamps.............................................................................................93 Configure timestamp recognition..............................................................................................94 Apply timezone offsets.............................................................................................................97 Recognize European date format............................................................................................99 Configure positional timestamp extraction.............................................................................100 Tune timestamp extraction for better indexing performance..................................................101 Train Splunk to recognize a timestamp..................................................................................102

    Fields.................................................................................................................................................107 How fields work......................................................................................................................107 Create fields via Splunk Web.................................................................................................108 Create fields via configuration files.........................................................................................109 Create indexed fields via configuration files...........................................................................113 Field actions...........................................................................................................................116 Configure fields.conf..............................................................................................................117 Configure multi-value fields....................................................................................................118 Configure tags........................................................................................................................119 Automatic header-based field extraction................................................................................122

    Hosts.................................................................................................................................................127 How host works......................................................................................................................127 Set default host for a Splunk server.......................................................................................128 Define host assignment for an input.......................................................................................128 Tag hosts...............................................................................................................................130 Extract host per event............................................................................................................131

    Source Types...................................................................................................................................134 How source types work..........................................................................................................134 Rule-based association of source types.................................................................................136 Set source type for an input...................................................................................................137 Set source type for a source..................................................................................................138 Train Splunk to recognize a source type................................................................................139 Source type settings in props.conf.........................................................................................139 Configure a source type alias.................................................................................................140

    Event Types......................................................................................................................................142 How event types work............................................................................................................142 Save event types via Splunk Web..........................................................................................144 Configure eventtypes.conf.....................................................................................................144

    ii

  • Table of ContentsEvent Types

    Tag event types......................................................................................................................146 Event type discovery..............................................................................................................146 Event type templates..............................................................................................................147 Dynamic event rendering.......................................................................................................148

    Transaction Types...........................................................................................................................151 How transactions work...........................................................................................................151 Transaction types via configuration files................................................................................151 Transaction search.................................................................................................................154

    Search...............................................................................................................................................157 How search works..................................................................................................................157 Set up saved searches via Splunk Web.................................................................................158 Set up saved searches via savedsearches.conf....................................................................160 Create a form search.............................................................................................................162 Macro searches......................................................................................................................164 Configure summary indexing..................................................................................................165 Live tail...................................................................................................................................168

    Distributed Search...........................................................................................................................171 How distributed search works................................................................................................171 Enable distributed search via Splunk Web.............................................................................172 Enable distributed search via the CLI....................................................................................172 Configure distributed search via distsearch.conf....................................................................173 Exclude specific Splunk servers from distributed searches...................................................175

    Alerts.................................................................................................................................................177 How Alerts Work....................................................................................................................177 Set up alerts via Splunk Web.................................................................................................178 Set up alerts via savedsearches.conf....................................................................................181 Scripted Alerts........................................................................................................................185 Customize alert options..........................................................................................................186 Send SNMP traps..................................................................................................................188

    Security.............................................................................................................................................191 Security options......................................................................................................................191 Enable HTTPS.......................................................................................................................192 SSL........................................................................................................................................194 Set up LDAP..........................................................................................................................196 Configure roles.......................................................................................................................204 Scripted authentication...........................................................................................................207 File system change monitor...................................................................................................210 Audit events...........................................................................................................................213 Audit event signing.................................................................................................................215

    iii

  • Table of ContentsSecurity

    Event hashing........................................................................................................................217 IT data signing........................................................................................................................221 Archive signing.......................................................................................................................225

    Data Management............................................................................................................................228 Splunk data management......................................................................................................228 Create an index......................................................................................................................229 Remove (delete) data.............................................................................................................231 Export event data...................................................................................................................235 Move the Splunk index...........................................................................................................236 Set a retirement and archiving policy.....................................................................................237 Automate archiving................................................................................................................239 Restore archived data............................................................................................................240 Back up your data..................................................................................................................241 Disk usage.............................................................................................................................244 Use separate partitions for Splunk's datastore.......................................................................245 Use WORM (Write Once Read Many) volumes for Splunk's datastore.................................247

    Deployment Server..........................................................................................................................249 How the deployment server works.........................................................................................249 Configure a Splunk deployment server..................................................................................251 Configure server classes........................................................................................................254 Configure deployment clients.................................................................................................255 Sync the server and client......................................................................................................258

    Performance Tuning........................................................................................................................260 Performance tuning Splunk....................................................................................................260 Indexing performance............................................................................................................261 Search performance...............................................................................................................264 Storage efficiency...................................................................................................................266 CPU and memory footprint.....................................................................................................268 Multi-CPU servers..................................................................................................................268 64-bit operating systems........................................................................................................269

    Configuration Files..........................................................................................................................271 How do configuration files work?............................................................................................271 Configure application directories............................................................................................274 Configuration file list...............................................................................................................276

    Applications.....................................................................................................................................278 About apps.............................................................................................................................278 About Splunk's app manager.................................................................................................279 Install Splunk apps.................................................................................................................280

    iv

  • Table of ContentsReference..........................................................................................................................................283

    Pre-trained source types........................................................................................................283 Splunk log files.......................................................................................................................287 Work with metrics.log.............................................................................................................290 Log file rotation.......................................................................................................................293 Determine what files Splunk is monitoring.............................................................................294 Index SNMP events with Splunk............................................................................................294 log4j........................................................................................................................................294 Strip syslog headers before processing.................................................................................295 Wildcards...............................................................................................................................296 alert_actions.conf...................................................................................................................296 app.conf.................................................................................................................................298 audit.conf................................................................................................................................300 authentication.conf.................................................................................................................302 authorize.conf.........................................................................................................................305 commands.conf......................................................................................................................309 crawl.conf...............................................................................................................................310 decorations.conf.....................................................................................................................312 deployment.conf.....................................................................................................................313 distsearch.conf.......................................................................................................................315 eventdiscoverer.conf..............................................................................................................317 eventtypes.conf......................................................................................................................318 field_actions.conf...................................................................................................................319 fields.conf...............................................................................................................................322 indexes.conf...........................................................................................................................323 inputs.conf..............................................................................................................................327 limits.conf...............................................................................................................................334 literals.conf.............................................................................................................................339 multikv.conf............................................................................................................................340 outputs.conf............................................................................................................................344 prefs.conf...............................................................................................................................348 props.conf..............................................................................................................................352 regmon-filters.conf.................................................................................................................359 restmap.conf..........................................................................................................................360 savedsearches.conf...............................................................................................................362 segmenters.conf.....................................................................................................................366 server.conf.............................................................................................................................368 setup.conf...............................................................................................................................370 source-classifier.conf.............................................................................................................371 sourcetypes.conf....................................................................................................................372 streams.conf...........................................................................................................................373 strings.conf.............................................................................................................................374 sysmon.conf...........................................................................................................................375 tags.conf.................................................................................................................................376 transactiontypes.conf.............................................................................................................377

    v

  • Table of ContentsReference

    transforms.conf......................................................................................................................379 user-seed.conf.......................................................................................................................382 web.conf.................................................................................................................................383 wmi.conf.................................................................................................................................386

    Troubleshooting...............................................................................................................................389 Contact Support.....................................................................................................................389 Splunkd is down.....................................................................................................................392 License issues........................................................................................................................392 Anonymize data samples.......................................................................................................396 Unable to get a properly formatted response from the server................................................399 Command line tools...............................................................................................................399

    vi

  • About the Splunk Admin Manual

    What's in the Admin Manual?What's in the Admin Manual?

    Everything you need to know to configure and manage Splunk can be found in this guide.

    Start with an overview, and then get started with some administration basics.

    Find what you need.

    Use the table of contents to the left of this panel, or search for what you want by using the search boxlocated in the upper right.

    If you're interested in more specific scenarios and best practices, you can visit the Splunk CommunityWiki to see how other users Splunk IT.

    Need something a little more user-oriented?

    Try the User Manual.

    1

  • How Splunk Works

    Overview of SplunkOverview of Splunk

    Splunk is search software for any type of data. Learn more about how Splunk works by readingthrough this introductory page. You'll find many links here for installing, configuring and customizingyour Splunk installation.

    Configuration options

    Splunk has several options for configuration: a Web interface (Splunk Web), a command lineinterface (the CLI), and configuration files. Most of Splunk's configuration can be accomplished byusing the Admin page of Splunk Web, and the CLI. Configure advanced settings throughconfiguration files.

    Installation and upgrade

    Installing Splunk is easy and fast. These instructions show you how to install, upgrade, or back up anexisting copy of Splunk.

    InstallationInstallation instructions for all supported platforms are found in the Installation Manual♦ On *nix platforms, use a tarball or RPM file.♦ On Mac, use a tarball or DMG file.♦ On Windows, download the .exe file and install. Instructions for Windows installation arelocated here.

    UpgradeThere are a lot of new features available in 3.3. You may want to consider an upgrade ifyou are running an earlier version.

    Upgrade instructions are here.♦

    Important: It's a good idea to back up your current instance before you upgrade.

    Data sources

    Splunk is capable of receiving data in a variety of ways. Read on for a brief description of each inputtype. For a more in-depth description of inputs, read how input configuration works.

    Files and directoriesUse monitor to stream live data into Splunk.♦

    2

  • Or batch to upload a file directly to Splunk Web.♦ Network ports

    Splunk supports UDP and TCP connections.♦ Configure syslog on UDP 514.♦ Use TCP connections for log4j.♦

    Scripted inputsUse scripted inputs to receive the outputs of command-line tools (such as vmstat, iostat,netstat, top, etc.) or other programs.

    ♦ •

    CrawlUse Splunk's new crawl feature to search for new data sources and files on your Splunkserver.

    ♦ •

    Distributed dataOne Splunk Server can receive data from any number of other Splunk Servers via datadistribution (description below).

    This port is configurable, but defaults to 9998.♦

    Windows

    Splunk for Windows comes with its own set of configuration files for setting up Windows-specificinputs, including Windows registry and WMI. Read more about configuring Windows inputs.

    Distributed data

    Configure distributed inputs and outputs across your network. Send data between one Splunkinstance and another, or third party software. For an overview on all the available configurationoptions, see How data distribution works.

    Forwarding and receivingA Splunk Server in forwarding mode can send data to one or more Splunk instances.♦ Any Splunk Server can receive data from one or more Splunk instances.♦ Learn more about forwarding and receiving.♦

    3rd party systemsSplunk can also forward raw data to any other system or software.♦ You can set up Splunk to send or receive data from 3rd party systems. Learn how.♦

    Indexing

    Splunk takes all data from inputs and sends it to an indexing pipeline. Data is then broken up intoseparate events via segmentation rules. Most data is segmented and timestamped correctly.However, you may wish to configure Splunk to index your data in particular ways. Learn more abouthow indexing works.

    Here are some things you might want to consider:

    Configure event boundaries• Configure segmentation• Mask sensitive data• Character set•

    3

  • Timestamp recognition•

    Configuration for indexing is set mostly through props.conf and transforms.conf.

    Fields

    Fields are a useful aspect of Splunk's search interface. You can use Splunk's built-in fields that areenabled by default. Here's a list of Splunk's default fields, including links to more in-depthdocumentation:

    SourceThe source field specifies the path to the original data input.♦ It is set automatically, but can be tagged.♦

    HostHost is the label for the device that originated the event.♦ Read more about host.♦

    Source typeA source type refers to any common format of data produced by a group of sources,such as weblogic or syslog.

    Learn more about source types.♦

    Event typesEvent types are groups of common events.♦ Learn more about event types.♦

    You can also create your own fields. Custom fields are useful for:

    Customizing searches (see below for search options).• Creating field actions.• Enabling event type templates.•

    To learn more about creating custom fields, see how fields work.

    Search

    Splunk's search interface is useful for tracking down different aspects of your data. Here are a fewthings you can do with your searches:

    Search commands.Splunk has a powerful search language.♦ Craft simple to sophisticated searches.♦

    Save searches.Any search can be saved and run at any time.♦ Save searches with variables to fill in at search time, including:♦ Form search.♦

    4

  • Macro search.♦ LiveTail

    Run a search to watch data as it's indexed.♦ Read more about Live Tail.♦

    AlertsSchedule Splunk to send search results via email or RSS.♦

    Summary indexingSave the output of any search to a special index.♦

    TransactionsSearch for transactions that occur across events, such as email threads, storepurchases

    ♦ •

    For a more detailed overview of search, see how search works.

    Distributed search

    In a distributed set up, you may want to search across multiple instances of Splunk. Enabledistributed search to federate searches across your entire Splunk deployment. Read more about howdistributed search works.

    Security

    Secure your Splunk server with the following security configuration options. Here's a brief overview ofthe available features. For a more detailed overview, see security options.

    Authentication

    Splunk includes several authentication options, including:

    Roles, which allow you to set up:User roles capabilities.♦ User-based access controls.♦

    LDAPSet up LDAP.♦

    SSLEnable HTTPS.♦ Or SSL for Splunk's back-end.♦

    Audit

    Use the following options to enable separate auditing configurations:

    File system monitor•

    5

  • The file system change monitor watches any designated file system and sends an eventif files or directories are affected in any way.

    By default, Splunk monitors its own $SPLUNK_HOME/etc/ directory for configurationchanges.

    Audit eventsEvents generated by the file system change monitor as well as user activity withinSplunk.

    Audit events are stored in a separate index, _audit.♦

    Audit event signingSet up cryptographic signing for audit events.♦

    IT data signingEnable cryptographic signing for all your events as they enter Splunk.♦

    Archive signingSign your data as it is archived.♦

    Event decorationsMark your audit events with icons so they're more noticeable.♦

    Data management

    Splunk servers often index large amounts of data each day. You may want to enable advancedsettings to handle the following data management scenarios.

    Index management, including:Add or remove an index.♦ Delete data from the index.♦ Move an index.♦

    Data archiving, including:Set retirement policy.♦ Automate archiving.♦ Restore archived data.♦ Export event data.♦

    Storage options:Disk usage.♦ Use separate partitions for Splunk's data store.♦ Use WORM (Write Once Read Many) volumes for Splunk's data store.♦

    Note: Many data management settings are enabled on a per-index basis, using indexes.conf. Tolearn more about indexes, see how indexes work.

    Deployment server

    In a distributed set up, enable one or more Splunk instances as deployment servers. A deploymentserver pushes out configuration changes to other Splunk instances.

    For a complete overview of all deployment options, read the Deployment manual. For instructions onconfiguring and enabling the deployment server and clients, read the Admin manual section on thedeployment server.

    6

  • Performance tuning

    The following options help you tune Splunk's performance for your environment. Depending on yoursystem and requirements, you may want to change one or more of the following settings:

    IndexingChange various configurations to speed up Splunk's intake of data.♦

    SearchSettings for faster return of search results.♦

    Storage efficiencyCut down on the space of your Splunk index.♦

    CPU and memory footprintTune Splunk's CPU usage and memory settings.♦

    BackupBack up your Splunk install.♦ Note: It is a good idea to backup Splunk before performing any migrations or upgrades.♦

    A more in-depth overview of performance tuning options is available here.

    Configuration files

    Many of Splunk's advanced configurations and customizations are available only throughconfiguration files. Create configurations by copying files into a custom application directory. Learnmore about application directories and configuring application directories.

    Applications

    Applications are directories of configuration files with specific purposes. Configure your ownapplications by following these instructions.

    You can also share your configuration file directories as applications with the Splunk community onSplunkBase.

    Customization

    Pimp your Splunk! Everybody's data is a little bit different. Maybe you want to set customconfigurations for the system you're running Splunk on. Here are options for personalizing yourSplunk instance.

    7

  • Splunk Web appearance

    Change various aspects of Splunk Web's appearance:

    DashboardsConfigure user settings and dashboards via prefs.conf.♦

    DecorationsSet icons for event types with dynamic event rendering.♦

    LiteralsChange the externalized strings in Splunk Web via literals.conf.♦

    SkinningChange the way your web interface looks.♦ Read the Developer's Guide for help with skinning Splunk.♦

    Extend Splunk

    Splunk includes a REST API. Read the Developer's Guide to learn more about the REST API. Toconfigure additional REST endpoints, use restmap.conf.

    Troubleshooting

    If there's something you need help with, even after reading the documentation, contact Splunksupport.

    If there's a feature you don't see here that you want included, file an enhancement request withSplunk support.

    We're always interested in your feedback.

    Splunk support.• Splunk forums.•

    8

  • Getting Started

    Start SplunkStart Splunk

    This topic serves only as a brief instruction to starting Splunk. If you are new to Splunk, werecommend reviewing the User Manual first.

    Before you start

    Before starting Splunk, install the software. Refer to the Installation Manual for system requirementsand step-by-step instructions. Make sure you install the correct version of Splunk and that you areinstalling on a supported filesystem.

    Start Splunk on non-Windows platforms

    Splunk's command line interface is located in $SPLUNK_HOME/bin/. $SPLUNK_HOME refers to thepath you installed under. Navigate to this location and run the following command:

    # ./splunk start

    You must accept Splunk's EULA the first time you start Splunk after a new installation. To bypass thisstep, start Splunk and accept the license in one step:

    # ./splunk start --accept-license

    NOTE: There are two dashes before the accept-license option.

    Start Splunk on Windows

    On Windows, Splunk is installed by default into \Program Files\Splunk

    Start and stop the following Splunk processes via the Windows Services Manager:

    Server daemon: splunkd• Web interface: splunkweb•

    You can also start, stop, and restart both processes at once by going to \ProgramFiles\Splunk\bin and typing

    # splunk.exe [start|stop|restart]

    9

  • Load Splunk Web in your browser

    Navigate to:

    http://mysplunkhost:8000

    Use whatever host and port you chose during installation.

    The first time you login to Splunk with an Enterprise license, use username admin and passwordchangeme. Splunk with a free license does not have access controls.

    Administration basicsAdministration basics

    The $SPLUNK_HOME variable refers to the top level directory of your installation. By default, this is/opt/splunk/.

    Add Splunk to your shell path

    To save a lot of typing, set a SPLUNK_HOME environment variable and add $SPLUNK_HOME/bin toyour shell's path.

    This example works for Linux/BSD/Solaris users who accepted the default installation location:

    # export SPLUNK_HOME=/opt/splunk# export PATH=$SPLUNK_HOME/bin:$PATH

    This example works for Mac users who accepted the default installation location:

    # export SPLUNK_HOME=/Applications/Splunk# export PATH=$SPLUNK_HOME/bin:$PATH

    Alternatively, Splunk supplies a script which can be sourced to set up the Splunk environment,regardless

    of where it has been installed. This perform the equivalent of the above steps, and obey the values inetc/splunk-launch.conf.

    # source /bin/setSplunkEnv

    10

  • Splunk's CLI

    Splunk's command line interface is located in $SPLUNK_HOME/bin/. If you have exported the pathand environment variables (as explained above), you can use the splunk command as follows:

    # splunk [action] [object] [-parameter value] ....

    If you haven't set an environment variable, navigate to $SPLUNK_HOME/bin/ and run commands asfollows:

    #./splunk [action] [object] [-parameter value] ....

    For general help, type:

    # splunk help

    For a list of commands and options, type:

    # splunk help commands

    For Splunk with an Enterprise license, administration commands must be authenticated with ausername and password. To authenticate for an entire session, type:

    # splunk login

    This command prompts you for a Splunk username and password. Use the same username andpassword for the CLI and Splunk Web. By default, the login is set to admin and the password ischangeme.

    Logout at any time by typing:

    # splunk logout

    To authenticate a single command, use the -auth parameter:

    # splunk search foo -auth username:password

    Note: the -auth string must be the last term in the CLI command.

    Start/stop Splunk, check status

    Ensure that you have added Splunk to your server host's path (as explained above, in "AddingSplunk to your shell path"). Otherwise you must use the ./splunk command.

    Start the Server

    From a shell prompt on the Splunk sever host, run this command:

    11

  • # splunk start

    Alternately, start either splunkd (to load back-end configuration) or Splunk Web (to load webconfiguration):

    # splunk start splunkd

    # splunk start splunkweb

    Note: manually starting splunkweb will not override the setting startwebserver inweb.conf. If it is disabled in configfiles, it will not start.

    Or restart Splunk (splunkd or Splunk Web) by running:

    # splunk restart

    # splunk restart splunkd

    # splunk restart splunkweb

    Stop the Server

    To shut down Splunk, run this command:

    # splunk stop

    Also available for splunkd and Splunk Web:

    # splunk stop splunkd

    # splunk stop splunkweb

    Check if Splunk is running

    To check if Splunk is running, type this command at the shell prompt on the sever host:

    # splunk status

    You should see this output:

    splunkd is running (PID: 3162).splunk helpers are running (PIDs: 3164).splunkweb is running (PID: 3216).

    Or you can use ps to check for running Splunk processes:

    # ps aux | grep splunk | grep -v grep

    Solaris users, type -ef instead of aux:

    12

  • # ps -ef | grep splunk | grep -v grep

    Where to find help

    Help is available in several forms.

    From the CLI:Type # splunk help♦

    From Splunk Web:Follow the help link in the upper right hand corner of Splunk Web.♦ Click the tutorial link from the Splunk Web landing page.♦

    Contact Splunk Support:Many options are available on the support portal.♦ Email Splunk support.♦

    Change defaultsChange defaults

    Changing the admin default password

    Splunk with an Enterprise license has a default administration account and password. It is highlyrecommended that you change the default. You can do this via Splunk's CLI or Splunk Web.

    Note: CLI commands assume you have set a Splunk environment variable. If you have not, navigateto $SPLUNK_HOME/bin and run the ./splunk command.

    via Splunk Web

    Log in as admin.• Click Admin in the top-right of the interface:•

    Click the Users tab:•

    Under the Action heading click Edit.• Type in the new information and click Save.•

    13

  • via Splunk CLI

    The Splunk CLI command is:

    # splunk edit user

    Note: You must authenticate with the existing password before it can be changed. Log into Splunkvia the CLI or use the -auth parameter.

    For example:

    # splunk edit user admin -password foo -auth admin:changeme

    This command changes the admin password from changeme to foo.

    Changing network ports

    Splunk uses two ports. They default to:

    8000 - HTTP or HTTPS socket for Splunk Web.• 8089 - Splunkd management port. Used to communicate with the splunkd daemon. SplunkWeb talks to splunkd on this port, as does the command line interface and any distributedconnections from other servers.

    via Splunk Web

    To change the port settings via Splunk Web, click the Admin link in the upper right handcorner:

    Then, click the Server tab. Click on Settings and change the port assignments:•

    via Splunk CLI

    To change the port settings via the Splunk CLI, use the CLI command set.

    # splunk set web-port 9000

    14

  • This command sets the Splunk Web port to 9000.

    # splunk set splunkd-port 9089

    This command sets the splunkd port to 9089.

    Changing the default Splunk server name

    The Splunk server name setting controls both the name displayed within Splunk Web and the namesent to other Splunk Servers in a distributed setting.

    The default name is taken from either the DNS or IP address of the Splunk Server host.

    via Splunk Web

    To change this setting, click the Admin link in the upper right-hand corner:•

    Then, click the Server tab and modify the Splunk Server name variable under the Settingstab:

    via Splunk CLI

    To change the server name via the CLI, type the following:

    # splunk set servername foo

    This command sets the servername to foo.

    Changing the datastore location

    The datastore is the top-level directory where the Splunk Server stores all indexed data, useraccounts, and working files.

    15

  • Note: If you change this directory, the server does not migrate old datastore files. Instead, it startsover again at the new location.

    To migrate your data to another directory follow the instructions in Move an index.

    via Splunk Web

    To change this setting, click the Admin link in the upper right hand corner:•

    Then, click the Server tab and modify the Datastore path variable under the Settings tab:•

    via Splunk CLI

    To change the server name via the CLI, type the following:

    # splunk set datastore-dir /var/splunk/

    This command sets the datastore directory to /var/splunk/.

    Set minimum free disk space

    The minimum free disk space setting controls how low disk space in the datastore location can fallbefore Splunk stops indexing.

    Splunk resumes indexing when more space becomes available. For detailed information on how tomanage Splunk server disk usage, see Disk usage.

    via Splunk Web

    To change this setting, click the Admin link in the upper right-hand corner:•

    Then, click the Server tab and modify the variable below Pause indexing if free disk spacefalls below under the Settings tab:

    16

  • via Splunk CLI

    To change the server name via the CLI, type the following:

    # splunk set minfreemb 2000

    This command sets the minimum free space to 2000 MB.

    Find and index dataFind and index data

    There are many ways to set up data inputs in Splunk. This section is a high-level description of thesetechniques. For more detailed methods, see the data inputs section.

    Here's a brief intro on getting data into Splunk.

    Monitor a file

    When you first log in to Splunk Web, you're provided a link to begin monitoring /var/log locally.You can monitor other files and directories you're interested in. When you specify a file to monitor,Splunk processes the entire file and then watches the file and processes additions to it. When youmonitor a directory, Splunk recursively searches all subdirectories looking for files resembling logfiles. You can explicitly include or exclude files with whitelisting and blacklisting.

    Monitor files via Splunk Web

    Manage your indexed files and add new files to your index from the Admin > Data Inputs: Files &Directories page.

    1. To access the Admin page, click the Admin link in the upper right-hand corner.

    The Admin page opens to the Server settings page.

    2. From the navigation links on the left, click Data Inputs.

    The Admin > Data Inputs: All page opens.

    3. From the navigation links on the left or the table of input types, click Files & Directories.

    17

  • The Admin > Data Inputs: FIles & Directories page opens.

    4. Click New Input.

    The Admin > Data Inputs: Files & Directories: New Input opens.

    Monitor files via the CLI

    Use the splunk add command. These commands assume you have set a Splunk environmentvariable. If you have not, you must navigate to $SPLUNK_HOME/bin and run the ./splunkcommand.

    For example:

    splunk add monitor /var/log/

    This command monitors all files in /var/log/.

    Crawl for inputs

    Splunk 3.3 introduces the new crawl feature. Crawl your file system for potential logs and data toindex. Read more about Using crawl and Configuring crawl.

    Add more usersAdd more users

    There are three default user roles and three different authentication methods to choose from whenyou set up Splunk with an Enterprise license. Users authenticate with Splunk's built-in system(described below), LDAP or scripted authentication (for third-party auth systems). Either methodworks with Splunk's roles system.

    You must be logged in as a Splunk administrator to add or edit user accounts. The default Adminaccount password is changeme.

    Note: Splunk with a Free license does not contain access control features. To access this page, youmust run Splunk with an Enterprise license. For more information, read About Splunk licenses.

    Lost admin password

    If you lose the password to your admin account, contact Splunk Support for assistance.

    Splunk local users

    A Splunk Admin can create new users either via Splunk Web or Splunk's CLI. Users can be mappedto Splunk's default roles or any custom roles via authorize.conf

    18

  • via Splunk Web

    To manage users accounts, click the Admin link in the upper right-hand corner:• From the left hand navigation list, click Users.• To add a new user, click the New User button.• To edit existing accounts, click the Edit link under the Action heading.• Enter the new or changed information and then click Save.•

    via Splunk CLI

    From the CLI, use the following commands to add, edit, remove, or list users.

    add user [-parameter value] ...edit user [-parameter value] ...remove user [-parameter value] ...list user

    Required (default) Parameters:

    username -- the name of the Splunk user account to manage.

    full-name -- the full name of the user in quotes, for example "Nikola Tesla".

    role -- either User, Power, or Admin.

    Note: The role names are case sensitive.

    Optional Parameters:

    password -- the password to set for the account.

    Examples

    The following are examples of editing a user's properties and adding a new user. Only Admin rolescan modify user properties. To login, use the splunk login command or -auth, as exemplified inthese examples.

    Note: These examples assume you have set a Splunk environment variable. If you have not,navigate to $SPLUNK_HOME/bin and run the ./splunk command.

    Example 1

    Let's say, as an admin on a Splunk server, you want to change the password for another user. Thesyntax for this looks something like:

    # splunk edit user -password -auth :

    Note: When editing a specific user's properties, you can list the user without the -usernameparameter.

    19

  • Therefore, to authenticate as user admin to change the password for user newbie:

    # splunk edit user newbie -password f8h2.$R -auth admin:adminpw

    Example 2

    Now, as an admin on a Splunk server, you want to add a new user with more than one role. Thesyntax for this looks something like:

    # splunk add user -username -full-name "First Last" -role -role -password -auth :

    Therefore, to add a new user deep, with Everybody and Admin permissions:

    # splunk add user -username deep -full-name "the deep" -role Everybody -role Admin -password foobar -auth admin:adminpw

    Start searchingStart searching

    Now you're ready to start using Splunk's search capabilities. Here are a few pages to help you startsearching:

    Search reference.1. Search syntax.2. Search tutorial.3.

    20

  • Data Inputs

    How input configuration worksHow input configuration works

    Splunk consumes any data you point it at. Before indexing data, you must add your data source asan input. The source is then listed as one of Splunk's default fields (whether it's a file, directory ornetwork port).

    Note: Splunk looks for the inputs it is configured to monitor every 24 hours starting from the time itwas last restarted. This means that if you add a stanza to monitor a directory or file that doesn't existyet, it could take up to 24 hours for Splunk to start indexing its contents.

    Data input methods

    Specify data inputs via the following methods:

    Splunk Web.• Splunk's CLI.• The inputs.conf configuration file.• Data distribution.•

    Most data sources can be specified via Splunk Web. For more extensive configuration options, useinputs.conf. Changes made via Splunk Web or the Splunk CLI are written to$SPLUNK_HOME/etc/system/local/inputs.conf. Configure Windows inputs viainputs.conf as well.

    Sources

    Splunk accepts data inputs from a wide range of sources. Here's a basic overview of your options.Read on through the Data Inputs and Data Distribution sections of this manual for configurationspecifics.

    Files and directories

    Many data inputs come directly from files and directories. For the most part, you can use Splunk'smonitor processor to index data in files and directories. If you have a large archive of historical data,you may want to use batch. Data sent via batch is loaded once and the original files are deletedwhen Splunk is done indexing them. Keep this in mind when using batch input.

    You can also configure Splunk's file system change monitor to watch for changes in your filesystem. However, you cannot currently use both monitor and file system change monitor to followthe same directory or file. If you want to see changes (eg. file edits, ownership changes) in adirectory, use file system change monitor. If you want to index new events (eg. from log files) in adirectory, use monitor.

    21

  • To configure files and directories, see files and directories.

    To configure file system change monitor, see the page on file system change monitor.

    Monitor

    Specify a path to a file or directory and Splunk's monitor processor consumes any new input. Youcan also specify a mounted or shared directory, as long as the Splunk server can see the directory. Ifthe specified directory contains subdirectories, Splunk recursively examines them for new files.Splunk only checks for files and directories each time the Splunk server starts/restarts, so be sure toadd new sources when they become available if you don't want to restart the server. You can alsouse crawl to discover new sources

    When using monitor:

    Files can be opened or closed for writing. Splunk consumes files even if they're still beingwritten to by the operating system.

    Files or directories can be included or excluded via whitelists and blacklists. For moreinformation, see "Whitelist and blacklist rules" in this manual.

    Upon restart, Splunk continues processing files where it left off.• Splunk unpacks compressed archive files before it reads them. Splunk can handle thefollowing common archive filetypes: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z, and itprocesses compressed files according to their extension. Keep in mind that unpacking largeamounts of compressed files can cause performance issues, so you may want to store oldarchive files where they are not monitored by Splunk.

    Splunk detects log file rotation and does not process renamed files it has alreadyindexed, with the exception of archive filetypes such as .tar and .gz, which it will not recognizeas being the same as the uncompressed originals (you can exclude them with the blacklistfunctionality mentioned above). For more information see "Log file rotation" in this manual.

    The entire path dir/filename for a monitored file must not exceed 993 characters. Pathslonger than this are indexed, but the soure key is truncated.

    Set the sourcetype to Automatic when you monitor a directory. If the directory containsmultiple files of different formats, do not set a value for the source type manually. Manuallysetting a source type forces a single source type for all files in that directory.

    Removing an input does not stop Splunk from indexing files right away. The input will bedisabled when the Splunk server is restarted. Additionally, some small amount of data alreadyread from these files may be indexed after the restart.

    Note: Splunk rescans the inputs it is configured to monitor every 24 hours starting from the time itwas last restarted. This means that if you add a stanza to monitor a directory or file that doesn't existyet, it could take up to 24 hours for Splunk to start indexing its contents.

    Important: To avoid performance issues, Splunk recommends that you set followTail=1 ininputs.conf if you are deploying Splunk to systems containing significant quantities of historicaldata. Setting followTail=1 for a monitor input means that any new incoming data is indexed whenit arrives, but anything already in files on the system when Splunk was first started will not beindexed.

    For the curious, some detail on How Splunk Reads Input Files is available on the Community wiki.

    22

  • Upload files

    Upload files directly through Splunk Web. If necessary, Splunk decompresses files before indexing.Uploading files through Splunk Web places them in the spool directory$SPLUNK_HOME/var/spool/splunk.

    Use the batch processor at the CLI to load files once and destructively. By default, Splunk's batchprocessor is located in $SPLUNK_HOME/var/spool/splunk. If you move a file into this directory,Splunk indexes it and deletes it. You should only use this for large archives of historical data. Formost inputs, use monitor.

    FIFO queues

    Caution: Due to common issues with deadlock and data loss, the use of FIFOs is not recommended.Monitor is a more reliable, stable method. Support for FIFO inputs is deprecated and will be removedin a future release of Splunk.

    A FIFO (AKA named pipe) is a queue of data maintained in memory. File systems can write logmessages directly to a FIFO. Splunk then accesses the FIFO as though it were a file. FIFO access isvery fast, but FIFOs are vulnerable when there are processing disruptions because the in-memorydata may be lost.

    To configure FIFO cues, see "FIFO" in this manual.

    Network ports

    You can configure Splunk with an Enterprise license to listen on any network port. This is the bestmethod to send data to your Splunk server from any machine (see data distribution for moreinformation). When configuring network ports, keep in mind that you cannot use privileged ports (i.e.any port lower than 1025) if you have not installed Splunk as root on Linux, Unix, Mac, or FreeBSD.Windows does not implement privileged ports, so Splunk can bind to any port when running underany user context.

    To configure network ports, see "Network ports" in this manual.

    UDP

    UDP is a best effort protocol, so you may experience data loss under certain conditions such as highnetwork or system utilization. Use UDP inputs only when the sending device does not support TCP.

    Splunk with an Enterprise license can listen for data on any UDP port. When configured to listen onUDP port 514, Splunk eliminates the need to install and configure a syslog server to listen for syslogdata sent from remote hosts.

    TCP

    TCP is a reliable, connection-oriented protocol that should be used instead of UDP to transmit andreceive data whenever possible. Splunk with an Enterprise license can receive data on any TCP port,allowing Splunk to receive remote data from syslog-ng and other application that transmit via TCP.TCP is the foundation of Splunk's data distribution architecture.

    23

  • Scripted inputs

    Configure Splunk to run shell commands on a schedule, and then index whatever the commandwrites to standard output.

    For example:

    vmstat, iostat, netstat, and any other network or system status commands.• SQL DBI.• HTTP and HTTPS requests.• SNMP.•

    See configure scripted inputs for details on setting this up.

    Windows data sources

    By default, Splunk for Windows indexes the Windows Application, System, and Security event logs.Splunk for Windows can also monitor and index changes to your registry and accept WMI data input.For more information on configuring Splunk for Windows, see "Windows inputs" in this manual.

    Crawl

    Discover new inputs automatically. Crawl uses rules you configure to traverse any directory structure.Splunk adds new inputs you find via crawl to inputs.conf.

    Data processing

    Once Splunk consumes data, it is sent to the universal processing pipeline. Splunk canautomatically learn event boundaries, classify events and sources, and extract timestamps. However,you may want to manually override Splunk's automatic processing. Change processing settings andindexing properties via props.conf.

    Some attributes within props.conf can be customized by defining new stanzas in otherconfiguration files. For example, transforms.conf defines regex-based rules for extracting fields,routing events, and performing other transformations. Segmenters.conf and outputs.conf can alsodefine attribute values referenced by props.conf.

    Common use cases for custom indexing properties include:

    Define additional indexed or extracted fields.• Override the value of host on a per-event basis, such as for syslog coming from multipleservers.

    Customize how Splunk recognizes timestamps.• Change how Splunk recognizes multi-line event boundaries.•

    24

  • Mask sensitive data in an event, such as social security numbers.• Customize how Splunk segments events in its index.•

    Files and directoriesFiles and directories

    Point Splunk at a file or a directory. If you specify a directory, Splunk consumes everything in thedirectory. Splunk has two different file input processors: monitor and batch. For the most part, usemonitor to input all your data sources from files and directories. The only time you should use batchis to load a large archive of historical files. Read on for more specifics.

    Monitor

    Specify a path to a file or directory and Splunk's monitor processor consumes any new input. You canalso specify a mounted or shared directory, including network filesystems, as long as the Splunkserver can read from the directory. If the specified directory contains subdirectories, Splunkrecursively examines them for new files.

    Splunk checks for the file or directory specified in a monitor configuration on Splunk server start andrestart. If the file or directory specified is not present on start, Splunk checks for it again in 24intervals from the time of the last restart. Subdirectories of monitored directories are scannedcontinuously. To add new inputs without restarting Splunk, use Splunk Web or the command lineinterface. If you want Splunk to find potential new inputs automatically, use crawl.

    When using monitor:

    On most operating systems, files can be opened or closed for writing. With the exception ofWindows, Splunk consumes files even if they're still being written to by the operating system.

    Files or directories can be included or excluded via whitelists and blacklists.• Upon restart, Splunk continues processing files where it left off.• Splunk decompresses archive files before it indexes them. It can handle the following commonarchive file types: .tar, .gz, .bz2, .tar.bz2 , and .zip.

    Splunk detects log file rotation and does not process renamed files it has already indexed (withthe exception of .tar and .gz archives; for more information see "Log file rotation" in thismanual).

    The entire dir/filename path must not exceed 1024 characters.• Set the sourcetype for directories to Automatic. If the directory contains multiple files ofdifferent formats, do not set a value for the source type manually. Manually setting a sourcetype forces a single source type for all files in that directory.

    Removing an input does not stop the the input's files from being indexed. Rather, it stops filesfrom being checked again, but all the initial content will be indexed. To stop all in-process data,you must restart the Splunk server.

    Note: You cannot currently use both monitor and file system change monitor to follow the samedirectory or file. If you want to see changes in a directory, use file system change monitor. If you wantto index new events in a directory, use monitor.

    25

  • Note: Monitor input stanzas may not overlap. That is, monitoring /a/path while also monitoring/a/path/subdir will produce unreliable results. Similarly, monitor input stanzas which watch thesame directory with different whitelists, blacklists, and wildcard components are not supported.

    Batch

    Use the batch processor at the CLI or in inputs.conf to load files once and destructively. Bydefault, Splunk's batch processor is located in $SPLUNK_HOME/var/spool/splunk. If you move afile into this directory, Splunk indexes it and then deletes it.

    Note: Batch is most useful for loading in historical data, such as large archives of files. For bestpractices on loading file archives, see "How to index different sized archives".

    Splunk Web

    Add inputs from files and directories via Splunk Web.

    1. Click Admin in the upper right-hand corner of Splunk Web.

    2. Then click Data Inputs.

    3. Pick files and directories.

    4. Click New Input to add an input.

    5. Under Data access, pick Monitor a directory.

    You can also:

    Upload a local file from your local machine into Splunk.• Index a file on the Splunk server, which copies a file on the server into Splunk via the batchdirectory.

    6. Specify the pathname to the file or directory. If you select Upload, use the Browse... button.

    To monitor a shared network drive, enter the following: (or\\\ on Windows). Make sure your Splunk server has read access to themounted drive as well as the files you wish to monitor.

    7. Under the Host heading, select the host name. You have several choices if you are using Monitoror Batch methods. Learn more about setting host value.

    Note: Host only sets the host field in Splunk. It does not direct Splunk to look on a specific host onyour network.

    8. Now set the Source Type. Source type is a default field added to events. Source type is used todetermine processing characteristics such as timestamps and event boundaries. Learn more aboutsource type.

    26

  • 9. After specifying the source, host, and source type, click Submit.

    CLI

    Monitor files and directories via Splunk's Command Line Interface (CLI). To use Splunk's CLI,navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command from the UNIX orWindows command prompt. Or add Splunk to your path and use the splunk command.

    If you get stuck, Splunk's CLI has built-in help. Access the main CLI help by typing splunk help.Individual commands have their own help pages as well -- type splunk help .

    The following commands are available for input configuration via the CLI:

    Command Command syntax Action

    add add monitor $SOURCE [-parametervalue] ...

    Add inputs from $SOURCE.

    edit edit monitor $SOURCE [-parametervalue] ...

    Edit a previously added input for$SOURCE.

    remove remove monitor $SOURCE Remove a previously added $SOURCE.

    list list monitor List the currently configured monitor.

    spool spool source Copy a file into Splunk via the sinkholedirectory.Change the configuration of each data input type by setting additional parameters. Parameters areset via the syntax: -parameter value.

    Note: You can only set one -hostname, -hostregex or -hostsegmentnum per command.

    Parameter Required? Description

    source Required Path to the file or directory to monitor for new input.

    sourcetype Optional Specify a sourcetype field value for events from the input source.

    index Optional Specify the destination index for events from the input source.

    hostname Optional Specify a host name to set as the host field value for events fromthe input source.

    hostregex Optional Specify a regular expression on the source file path to set as thehost field value for events from the input source.

    hostsegmentnum Optional Set the number of segments of the source file path to set as thehost field value for events from the input source.

    follow-only Optional (T/F) True or False. Default False. When set to True, Splunk willread from the end of the source (like the "tail -f" Unix command).

    27

  • Example: use the CLI to monitor /var/log/

    The following example shows how to monitor files in /var/log/:

    Add /var/log/ as a data input:

    ./splunk add monitor /var/log/

    Example: use the CLI to monitor windowsupdate.log

    The following example shows how to monitor the Windows Update log (where Windows logsautomatic updates):

    Add C:\Windows\windowsupdate.log as a data input:

    ./splunk add monitor C:\Windows\windowsupdate.log

    Example: use the CLI to monitor IIS logging

    This example shows how to monitor the default location for Windows IIS logging: AddC:\windows\system32\LogFiles\W3SVC as a data input:

    ./splunk add monitor c:\windows\system32\LogFiles\W3SVC

    Inputs.conf

    To add an input, add a stanza for it to inputs.conf in $SPLUNK_HOME/etc/system/local/, or yourown custom application directory in $SPLUNK_HOME/etc/apps/. If you have not worked withSplunk's configuration files before, read how configuration files work before you begin.

    You can set any number of attributes and values following an input type. If you do not specify a valuefor one or more attributes, Splunk uses the defaults that are preset in$SPLUNK_HOME/etc/system/default/ (noted below).

    Monitor

    [monitor://] = = ...

    This type of input stanza (monitor) directs Splunk to watch all files in the (or just itself if it represents a single file). You must specify the input type and then the path, so put threeslashes in your path if you're starting at root. You can use wildcards for the path. For moreinformation, see the "Wildcards" subsection, below.

    Note: To ensure new events are indexed when you copy over an existing file with new contents, setCHECK_METHOD = modtime in props.conf for the source. This checks the modtime of the file andre-indexes when it changes. Note that the entire file is indexed, which can result in duplicate events.

    host =

    28

  • Set the host value of your input to a static value.• host= is automatically prepended to the value when this shortcut is used.• Defaults to the IP address of fully qualified domain name of the host where the data originated.• For more information about the host field, see "How host works," in this manual.•

    index =

    Set the index where events from this input will be stored.• index= is automatically prepended to the value when this shortcut is used.• Defaults to main (or whatever you have set as your default index).• For more information about the index field, see "Splunk data management," in this manual.•

    sourcetype =

    Set the sourcetype name of events from this input.• sourcetype= is automatically prepended to the value when this shortcut is used.• Splunk automatically picks a source type based on various aspects of your data. There is nohard-coded default.

    For more information about the sourcetype field, see the "How source types work," in thismanual.

    source =

    Set the source name of events from this input.• Defaults to the file path.• source= is automatically prepended to the value when this shortcut is used.•

    queue = (parsingQueue, indexQueue, etc)

    Specify where the input processor should deposit the events that it reads.• Can be any valid, existing queue in the pipeline.• Defaults to parsingQueue.•

    host_regex =

    If specified, the regex extracts host from the filename of each input.• Specifically, the first group of the regex is used as the host.• Defaults to the default host= attribute if the regex fails to match.•

    host_segment =

    If specified, the '/' separated segment of the path is set as host.• Defaults to the default host:: attribute if the value is not an integer, or is less than 1.•

    crcSalt =

    If set, this string is added to the CRC.• Use this setting to force Splunk to consume files that have matching CRCs.•

    29

  • If set to crcSalt = (note: This setting is case sensitive), then the full source pathis added to the CRC.

    followTail = 0|1

    If set to 1, monitoring begins at the end of the file (like tail -f).• This only applies to files the first time they are picked up.• After that, Splunk's internal file position records keep track of the file.•

    _whitelist =

    If set, files from this path are monitored only if they match the specified regex.•

    _blacklist =

    If set, files from this path are NOT monitored if they match the specified regex.•

    Wildcards

    You can use wildcards to specify your input path for monitored input. Use ... for paths and * forfiles.

    ... recurses through directories until the match is met. This means that /foo/.../bar willmatch foo/bar, foo/1/bar, foo/1/2/bar, etc. but only if bar is a file.

    To recurse through a subdirectory, use another .... For example/foo/.../bar/....

    * matches anything in that specific path segment. It cannot be used inside of a directory path;it must be used in the last segment of the path. For example /foo/*.log matches/foo/bar.log but not /foo/bar.txt or /foo/bar/test.log.

    Combine * and ... for more specific matches:foo/.../bar/* matches any file in the bar directory within the specified path.♦

    Note: In Windows, you must use two backslashes \\ to escape wildcards. Regexes with backslashesin them are not currently supported for _whitelist and _blacklist in Windows.

    Specifying wildcards results in an implicit _whitelist created for that stanza. The longest fullyqualified path is used as the monitor stanza, and the wildcards are translated into regular expressionsusing the following map:

    wildcard regex meaning

    * [^/]* anything but /

    ... .* anything (greedy)

    . \. literal .Additionally, the converted expression is anchored to the right end of the file path, so that the entirepath must be matched.

    30

  • For example, if you specify

    [monitor:///foo/bar*.log]

    Splunk translates this into

    [monitor:///foo/]_whitelist = bar[^/]*\.log$

    As a consequence, you can't have multiple stanzas with wildcards for files in the same director.

    Also, you cannot use a _whitelist declaration in conjunction with wildcards.

    For example:

    [monitor:///foo/bar_baz*][monitor:///foo/bar_qux*]

    This results in overlapping stanzas indexing the directory /foo/. Splunk takes the first one, so onlyfiles starting with /foo/bar_baz will be indexed. To include both sources, manually specify a_whitelist using regular expression syntax for "or":

    [monitor:///foo]_whitelist = (bar_baz[^/]*|bar_qux[^/]*)$

    Note: To set any additional attributes (such as sourcetype) for multiple whitelisted/blacklisted inputsthat may have different attributes, use props.conf.

    Examples

    To load anything in /apache/foo/logs or /apache/bar/logs, etc.

    [monitor:///apache/.../logs]

    To load anything in /apache/ that ends in .log.

    [monitor:///apache/*.log]

    Batch

    [batch://]move_policy = sinkhole = = ...

    Use batch to set up a one time, destructive input of data from a source. For continuous,non-destructive inputs, use monitor.

    Note: You must set move_policy = sinkhole. This loads the file destructively. Do not use thisinput type for files you do not want to consume destructively.

    31

  • host =

    Set the host value of your input to a static value.• host= is automatically prepended to the value when this shortcut is used.• Defaults to the IP address of fully qualified domain name of the host where the data originated.• For more information about the host field, see the host section.•

    index =

    Set the index where events from this input will be stored.• index= is automatically prepended to the value when this shortcut is used.• Defaults to main (or whatever you have set as your default index).• For more information about the index field, see the data management section.•

    sourcetype =

    Set the sourcetype name of events from this input.• sourcetype= is automatically prepended to the value when this shortcut is used.• Splunk automatically picks a source type based on various aspects of your data. There is nohard-coded default.

    For more information about the sourcetype field, see the source type section.•

    source =

    Set the source name of events from this input.• Defaults to the file path.• source= is automatically prepended to the value when this shortcut is used.•

    queue = (parsingQueue, indexQueue, etc)

    Specify where the input processor should deposit the events that it reads.• Can be any valid, existing queue in the pipeline.• Defaults to parsingQueue.•

    host_regex =

    If specified, the regex extracts host from the filename of each input.• Specifically, the first group of the regex is used as the host.• Defaults to the default host= attribute if the regex fails to match.•

    host_segment =

    If specified, the '/' separated segment of the path is set as host.• Defaults to the default host:: attribute if the value is not an integer, or is less than 1.•

    Note: source = and = are not used by batch.

    32

  • Example

    This example batch loads all files from the directory /system/flight815/.

    [batch://system/flight815/*]move_policy = sinkhole

    Network portsNetwork ports

    You can enable Splunk to accept an input on any TCP or UDP port. Splunk consumes any data senton these ports. TCP is the protocol underlying Splunk's data distribution, which is the recommendedmethod for sending data from any remote machine to your Splunk server. Note that the user you runSplunk as must have access to the port. On a Unix system you must run as root to access a portunder 1024.

    Important: In version 3.3.3 of Splunk, default syslog processing via UDP does not correctly handleline-breaks. To work around this issue, add _linebreaker = _linebreaker to the UDP stanza in$SPLUNK_HOME/etc/system/local/inputs.conf. This issue was resolved in 3.3.4.

    Splunk Web

    Add inputs from network ports via Splunk Web.

    1. Click Admin in the upper right-hand corner of Splunk Web.

    2. Then click Data Inputs.

    3. Pick Network Ports - Display and access configuration for UDP and TCP ports.

    4. Click New Input to add an input.

    5. Under the Source heading, select Protocol of UDP or TCP.

    6. Accept the default port, 9998, or enter another port number.

    7. Specify whether this port should accept connections from all hosts or one host. If you specify onehost, enter the IP address of the host.

    8. Now set the Source Type. Source type is a default field added to events. Source type is used todetermine processing characteristics such as timestamps and event boundaries. Learn more aboutsetting source type. Choose:

    From ListSelect one of the pre-defined source types from the drop-down list.♦

    ManualLabel your own source type in the text box.♦

    33

  • 9. After specifying the source, host, and source type, click Submit.

    CLI

    Monitor files and directories via Splunk's Command Line Interface (CLI). To use Splunk's CLI,navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. Or add Splunk toyour path and use the splunk command.

    If you get stuck, Splunk's CLI has built-in help. Access the main CLI help by typing splunk help.Individual commands have their own help pages as well -- type splunk help .

    The following commands are available for input configuration via the CLI:

    Command Command syntax Action

    add add tcp | udp $SOURCE [-parametervalue] ...

    Add inputs from $SOURCE.

    edit edit tcp | udp $SOURCE [-parametervalue] ...

    Edit a previously added input for$SOURCE.

    remove remove tcp | udp $SOURCE Remove a previously added datainput.

    list list tcp | udp List the currently configured monitor.

    Change the configuration of each data input type by setting additional parameters. Parameters areset via the syntax: -parameter value.

    Parameter Required? Description

    $SOURCE Require Port number to listen for data to index.

    sourcetype Optional Specify a sourcetype field value for events from the input source.

    index Optional Specify the destination index for events from the input source.

    hostname Optional Specify a host name to set as the host field value for events from the inputsource.

    remotehost Optional Specify an IP address to exclusively accept data from.

    resolvehost Optional Set True of False (T | F). Default is False. Set True to use DNS to set thehost field value for events from the input source.Example

    Configure a network input, then set the sourcetype:

    Configure a UDP input to watch port 514 and set the sourcetype to "syslog".•

    Important: In version 3.3.3 of Splunk, default syslog processing via UDP does not correctly handleline-breaks. To work around this issue, add _linebreaker = _linebreaker to the UDP stanza in

    34

  • $SPLUNK_HOME/etc/system/local/inputs.conf. This issue was resolved in 3.3.4.

    Check the Splunk Wiki for information about the best practices for using UDP when configuringSyslog input.

    ./splunk add udp 514 -sourcetype syslog

    Set the UDP input's host value via DNS. Use auth with your username and password.•

    ./splunk edit udp 514 -resolvehost true -auth admin:changeme

    Note: Splunk must be running as root to watch ports under 1024.

    inputs.conf

    To add an input, add a stanza for it to inputs.conf in $SPLUNK_HOME/etc/system/local/, or yourown custom application directory in $SPLUNK_HOME/etc/apps/. If you have not worked withSplunk's configuration files before, read how configuration files work before you begin.

    You can set any number of attributes and values following an input type. If you do not specify a valuefor one or more attributes, Splunk uses the defaults that are preset in$SPLUNK_HOME/etc/system/default/ (noted below).

    TCP

    [tcp://:] = = ...

    This type of input stanza tells Splunk to listen to on . If isblank, Splunk listens to all connections on the specified port.

    host =

    Set the host value of your input to a static value.• host:: is automatically prepended to the value when this shortcut is used.• Defaults to the IP address of fully qualified domain name of the host where the data originated.• For more information about the host field, see the host section.•

    index =

    Set the index where events from this input will be stored.• index:: is automatically prepended to the value when this shortcut is used.• Defaults to main (or whatever you have set as your default index).• For more information about the index field, see the data management section.•

    sourcetype =

    35

  • Set the sourcetype name of events from this input.• sourcetype:: is automatically prepended to the value when this shortcut is used.• Splunk automatically picks a source type based on various aspects of your data. There is nohard-coded default.

    For more information about the sourcetype field, see the source type section.•

    source =

    Set the source name of events from this input.• Defaults to the file path.• source:: is automatically prepended to the value when this shortcut is used.•

    queue = (parsingQueue, indexQueue, etc)

    Specify where the input processor should deposit the events that it reads.