Splunk Tutorial 05: How to upload data into Splunk

This tutorial will illustrate how to get data into Splunk.


What kind of Data can Splunk handle?

Sky is the limit! It can handle data generated from kind of everywhere including (but not limit to):

  • Virtual Machine
  • Pysical Machnies
  • Servers
  • IoT
  • Communications devices
  • Log
  • Configurations
  •  Scripts
  • Database
  • Tickets
  • Alerts
  • Self driving cars
  • Sensors etc

Some of them may need human intervention until we teach Splunk how to do it itself.


How to get data into Splunk?

Splunk accept data from following various channels:

  1. Upload files
  2. Monitor files and directories  (from local or remote machines)
  3. Local and remote SYSLOG via UDP, TCP
  4. SNMP (port udp:162)
  5. Scripted inputs from APIs
  6. Universal Forwarder Heavy Forwarder.


Upload Data Vs Monitor Data & Forwarder

Following is the difference on getting data between upload data, monitor data and fowarder

[vtftable ]
Upload;;;The Upload option lets you upload a file or archive of files for indexing. When you click Upload, Splunk Web goes to a page that starts the upload process.;nn;
Monitor;;;The Monitor option lets you monitor one or more files, directories, network streams, scripts, Event Logs (on Windows hosts only), performance metrics, or any other type of machine data that the Splunk Enterprise instance has access to. When you click Monitor, Splunk Web loads a page that starts the monitoring process.;nn;
Forward;;;The Forward option lets you receive data from forwarders into your Splunk deployment. When you click on the “Forward” button, Splunk Web takes you to a page that starts the data collection process from forwarders.{;n}The Forward option requires additional configuration. Use it only in a single-instance Splunk environment.;nn;


Everytime when a new data set come into Splunk, Splunk will automatically assign the following meta data to the data set:


[vtftable cols=”{0}0-1:cccccc;{/}”]
Source;;;The path of the input data source;nn;
host;;;Splunk hostname of the instance (forwarder);nn;
Sourcetype;;;Splunk will automatically determine the source type (.g. CSV file, database etc);nn;
Index;;;Default to “Default”;nn;


Following is the steps to getting a CSV file into Splunk.



Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.