Hi,
I am a newbie to splunk and I have a requirement like below.
Can you please help me out in using Splunk.
Regards,
Joseph.
Welcome to Splunk Answers @thambijoseph
Splunk is a tool which will ingest logs, index them, parse them, then make them available in a nice user interface which is easy to search and make use it. You can also create fields and use those fields to analyze data and make sense of it.
To start you will need to have a remote host file and monitor a directory where the log files are being generated. Once new data flows into the log files, Splunk will see this and forward them to your indexer which will then index the files. Assuming your indexer is already set up, your first step would be to create an inputs.conf
on the remote host and start monitoring a directory to ingest those log files.
Hi Skoelpin,
Is there any documentation with step by step process. I read the document but still not understanding how to proceed.
The below link describes how to start indexing data.
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Getstartedwithgettingdatain
Here's a brief description to add onto this.. This is an example of a general setup..
You will have a remote server which will generate log data.. This log data will be under C:\Logs\Data.txt
.. You will set up a Splunk forwarder to monitor the path C:\Logs\Data.txt
so everytime new data is added to the text file Data.txt
, the Splunk forwarder will recognize this and forward it to your central Splunk server (Also known as an indexer) and the indexer will index and parse the data and make it usable in the Splunk GUI. So say Data.txt
is a high volume log which has millions of events and you want to know how often people have attempted search for the term "splunk", you could do a search and quickly find out how many people looked for Splunk compared to all the other terms overall. So to set this up, you will need to configure your forwarder on the remote machine. After installing the forwarder, you will need 2 files which will be located in %SPLUNK_HOME%/etc/system/local
.. Those 2 files are inputs.conf
which will have a stanza and define what index your data will go to and the sourcetype it should have (When you create fields in Splunk , it will be relative to the sourcetype) and an outputs.conf
will have information which will point to your indexer so the data knows where to go. It's super easy to install a forwarder and you can look at examples online for the inputs.conf
and outputs.conf
and copy those then you should be in business
Hi there,
Just go to Settings > Data Inputs > Files & Directories OR select how to index your input according to your data source. After that, just follow the wizard.
If you have any doubt, don't hasitate.
This will probably help you a lot more, http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configureyourinputs
Hi Alemarzu,
Is there any documentation with step by step process. I read the document but still not understanding how to proceed.
Hi there mate, sure there is.
In the link that pasted above from Splunk docs if you look at the left side of the web page, you'll see this menu. In there you will find the step by step procedure to index your data.