Training + Certification Discussions

Where to find resources about getting data into Splunk Enterprise?

adukes_splunk
Splunk Employee
Splunk Employee

Where can I find resources to help me get data into Splunk? I'm looking for an overview of data, forwarders, and apps to help me plan my implementation.

0 Karma
1 Solution

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Splunk uses default fields along with the individual event's raw data to correlate and identify common elements in the data on the fly at search time. This means there is no fixed schema, which makes searching with Splunk fast, easy, and flexible.

Things to know

You can use forwarders to get data in, and you can use Splunk apps to get data in. Forwarders get data from remote machines and prepare it for indexing, for example, compressing data, buffering, and adding source, sourcetype, and host metadata. Universal forwarders do not parse data before forwarding it, and is the best way to forward data to indexers. Heavy forwarders parse data before forwarding it, and route data based on event contents.
At the indexer, Splunk breaks data into individual events (event line breaking), and identifies the basic attributes of each event in the form of default fields, then stores the events for searching. Splunk generates these default fields for each event that identify and describe the event's origin:

  • Timestamp: Splunk uses timestamps to correlate events by time, to create the timeline histogram in Splunk Web, and to set time ranges for searches.
  • Host: The hostname or IP address of the machine that generated the data.
  • Source: The originating location of the data, for example, the path name of the file or directory being monitored for data, or the protocol and port.
  • Source type: A way to identify and group events with similar attributes regardless of where they came from. Like apache web logs - they might come from many different machines with many different log locations, but the fields in the data are essentially the same. You can use a source type to refer to them all.

Things to do

The following video demonstrates how to get data into the Linux version of Splunk Enterprise.

Getting Data Into Splunk Enterprise - Linux

The following video demonstrates how to get data into the Windows version of Splunk Enterprise.
Getting Data Into Splunk Enterprise - Windows

View solution in original post

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Splunk uses default fields along with the individual event's raw data to correlate and identify common elements in the data on the fly at search time. This means there is no fixed schema, which makes searching with Splunk fast, easy, and flexible.

Things to know

You can use forwarders to get data in, and you can use Splunk apps to get data in. Forwarders get data from remote machines and prepare it for indexing, for example, compressing data, buffering, and adding source, sourcetype, and host metadata. Universal forwarders do not parse data before forwarding it, and is the best way to forward data to indexers. Heavy forwarders parse data before forwarding it, and route data based on event contents.
At the indexer, Splunk breaks data into individual events (event line breaking), and identifies the basic attributes of each event in the form of default fields, then stores the events for searching. Splunk generates these default fields for each event that identify and describe the event's origin:

  • Timestamp: Splunk uses timestamps to correlate events by time, to create the timeline histogram in Splunk Web, and to set time ranges for searches.
  • Host: The hostname or IP address of the machine that generated the data.
  • Source: The originating location of the data, for example, the path name of the file or directory being monitored for data, or the protocol and port.
  • Source type: A way to identify and group events with similar attributes regardless of where they came from. Like apache web logs - they might come from many different machines with many different log locations, but the fields in the data are essentially the same. You can use a source type to refer to them all.

Things to do

The following video demonstrates how to get data into the Linux version of Splunk Enterprise.

Getting Data Into Splunk Enterprise - Linux

The following video demonstrates how to get data into the Windows version of Splunk Enterprise.
Getting Data Into Splunk Enterprise - Windows

adukes_splunk
Splunk Employee
Splunk Employee

Added video content.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...