Archive
Highlighted

Where to find resources about getting data into Splunk Enterprise?

Splunk Employee
Splunk Employee

Where can I find resources to help me get data into Splunk? I'm looking for an overview of data, forwarders, and apps to help me plan my implementation.

0 Karma
Highlighted

Re: Where to find resources about getting data into Splunk Enterprise?

Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Splunk uses default fields along with the individual event's raw data to correlate and identify common elements in the data on the fly at search time. This means there is no fixed schema, which makes searching with Splunk fast, easy, and flexible.

Things to know

You can use forwarders to get data in, and you can use Splunk apps to get data in. Forwarders get data from remote machines and prepare it for indexing, for example, compressing data, buffering, and adding source, sourcetype, and host metadata. Universal forwarders do not parse data before forwarding it, and is the best way to forward data to indexers. Heavy forwarders parse data before forwarding it, and route data based on event contents.
At the indexer, Splunk breaks data into individual events (event line breaking), and identifies the basic attributes of each event in the form of default fields, then stores the events for searching. Splunk generates these default fields for each event that identify and describe the event's origin:

  • Timestamp: Splunk uses timestamps to correlate events by time, to create the timeline histogram in Splunk Web, and to set time ranges for searches.
  • Host: The hostname or IP address of the machine that generated the data.
  • Source: The originating location of the data, for example, the path name of the file or directory being monitored for data, or the protocol and port.
  • Source type: A way to identify and group events with similar attributes regardless of where they came from. Like apache web logs - they might come from many different machines with many different log locations, but the fields in the data are essentially the same. You can use a source type to refer to them all.

Things to do

The following video demonstrates how to get data into the Linux version of Splunk Enterprise.

Getting Data Into Splunk Enterprise - Linux

The following video demonstrates how to get data into the Windows version of Splunk Enterprise.
Getting Data Into Splunk Enterprise - Windows

View solution in original post

Highlighted

Re: Where to find resources about getting data into Splunk Enterprise?

Splunk Employee
Splunk Employee

Added video content.

0 Karma