Download topic as PDF
To get started with getting data into your Splunk deployment, point your deployment at some data by configuring an input. You can get data in using several ways. For the most straightforward option, use Splunk Web. With a Splunk Cloud Platform deployment, you might need to configure a heavy forwarder or universal forwarder to send the data to your Splunk Cloud Platform instance.
Alternatively, you can download and enable an app, such as the Splunk App for Microsoft Exchange or Splunk IT Service Intelligence. See Use apps and add-ons to get data in.
After you configure the inputs or enable an app, your Splunk deployment stores and processes the specified data. You can go to either the Search & Reporting app or the main app page and begin exploring the data that you collected.
Understand your needs
Before you start adding inputs to your deployment, ask yourself the following questions:
| Question | Documentation |
|---|---|
| What kind of data do I want to index? | What data can I index? |
| Is there an app for that? | Use apps to get data in |
| Where does the data reside? Is it local or remote? | Where is my data? |
| Should I use forwarders to access remote data? | Use forwarders to get data in |
| What do I want to do with the indexed data? | What is Splunk knowledge? |
Add new inputs
To add data, follow these high-level steps:
- Create a test index and add a few inputs. Any data you add to your test index counts against your maximum daily indexing volume for licensing purposes.
- Preview and modify how your data will be indexed before committing the data to the test index.
- Review the test data that you added with the Search & Reporting app. Ask yourself these questions:
- Do you see the sort of data you were expecting?
- Did the default configurations work well for your events?
- Is data missing or mixed up?
- Are the results optimal?
- If necessary, tweak your input and event processing configurations further until events look the way you want them to.
- Delete the data from your test index and start over, if necessary.
- When you are ready to index the data permanently, configure the inputs to use an index of your choosing.
You can repeat this task to add other inputs as you familiarize yourself with getting data in.
Index custom data
The Splunk platform can index any time-series data, usually without additional configuration. If you have logs from a custom application or device, process it with the default configuration first. If you do not get the results you want, you can tweak things to make sure the software indexes your events correctly.
See Overview of event processing and How indexing works so that you can make decisions about how to make the Splunk platform work with your data.
Then, consider the following scenarios for collecting data:
- Are the events in your data more than one line? See Configure event line breaking.
- Is your data in an unusual character set? See Configure character set encoding.
- Is the Splunk platform unable to determine the timestamps correctly? See How timestamp assignment works.
Further reading on configuring data inputs and getting data into the Splunk platform
Refer to the following table for some ways you can explore and further configure your data:
| Task | Documentation |
|---|---|
| Configure an input | Other ways to get data in |
| Add data to your Splunk deployment | How do you want to add data? |
| Experiment with adding a test index | Use a test index to test your inputs |
| Add source types | Assign the correct source types to your data |
| Configure event processing | How Splunk Enterprise handles your data |
| Delete data from your Splunk deployment | Delete indexed data and start over |
| Configure your inputs with a default index | Configure your inputs to use the default index |
Last modified on 25 September, 2023
| PREVIOUS What data can I index? | NEXT Is my data local or remote? |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.6, 8.0.10, 7.2.10, 7.0.1, 8.0.5, 8.0.8, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1, 8.0.7, 8.0.9, 8.1.0
