Add data to Splunk

There are three ways to add data to Splunk:

  • Upload – you can upload a file or archive of files into Splunk Enterprise for indexing. Note that Splunk consumes the uploaded file(s) only once and it does not monitor it continuously.
  • Monitor – you can use this option to monitor files, directories, network streams, scripts, and other type of machine data that Splunk can index. This is the option you would most likely use for your production environment.
  • Forward – you can use this option to receive data from forwarders.

The easiest way to add data to Splunk is to use the first option (Upload). Here is how we would upload a file to Splunk:

From the home screen, click on the Add Data icon:

home splunk

Click on the Upload icon:

upload file splunk

Next, you will need to select the file source. To do this, click on the Select File button:

select file splunk

Browse to the file you would like to include:

browse to the file splunk

If you need test log files, you can download them from here: http://docs.splunk.com/images/Tutorial/tutorialdata.zip

 

After the file upload finishes, click the Next button:

upload_file_splunk_2

You should get the Set Source Type page, where you can make adjustments to how Splunk indexes your data. This page allows you to preview how Splunk will index your data. One of the options you can adjust is the source type. This field determines how Splunk will format the data during indexing. Splunk comes with a large number of predefined source types and attempts to assign the correct source type to your data based on its format.

If you are not satisfied with the default source type that was assigned by Splunk, you can choose other source types or use other options (Event Breaks, Timestamp, and Advanced) to manually adjust how Splunk will format data. In our case, Splunk has formatted the data correctly so we will press Next:

upload_file_splunk_3

Next, we can configure Input Settings. We can configure the hostname (or IP address) of the host from which the log originates. We can also choose the index in which we would like to store the events. Select your options and click the Review button:

upload_file_splunk_4

Review the settings and click Submit to finish the process:

upload_file_splunk_5

And that’s it! You can verify that the data was added successfully by clicking on the Start Searching button:

upload_file_splunk_6

Geek University 2022