To work with Splunk, we need to add data to it. Splunk can read machine data from a number of sources, such as:
- files and directories – Splunk can monitor specific files (such as log files) or directories.
- network events – Splunk can index remote data from any network port and SNMP events from remote devices.
- Windows sources – Splunk can index many Windows-specific inputs, such as Windows Event Log, Windows Registry, WMI, and Active Directory.
- other – Splunk also supports other input sources, such as FIFO queues and scripted inputs for getting data from APIs and other remote data interfaces.
When you add the data to Splunk, Splunk indexes the data and creates event data. Individual units of this data are called events. The data you add can be on the same computer as the Splunk Enterprise, or it can be on another machine.
Splunk stores the data it indexed and its indexes within flat files (files in a directory), and doesn’t require any database software.