-
Notifications
You must be signed in to change notification settings - Fork 25
/
inputs.conf.spec
3698 lines (3244 loc) · 158 KB
/
inputs.conf.spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Version 8.2.1
#
############################################################################
# OVERVIEW
############################################################################
# This file contains possible settings you can use to configure inputs,
# distributed inputs such as forwarders, and file system monitoring in
# inputs.conf.
#
# Each stanza controls different search commands settings.
#
# There is a inputs.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name inputs.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
# For examples, see inputs.conf.example.
# You must restart the Splunk instance to enable configuration changes.
#
# To learn more about configuration files (including file precedence) see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
#
#
############################################################################
# GLOBAL SETTINGS
############################################################################
# Use the [default] stanza to define any global settings.
# * You can also define global settings outside of any stanza, at the top of
# the file.
# * Each conf file should have at most one default stanza. If there are
# multiple default stanzas, settings are combined. In the case of
# multiple definitions of the same setting, the last definition in the
# file wins.
# * If an setting is defined at both the global level and in a specific
# stanza, the value in the specific stanza takes precedence.
############################################################################
# GENERAL SETTINGS:
# The following settings are valid for all input types (except file system
# change monitor, which is described in a separate section in this file).
# You must first enter a stanza header in square brackets, specifying the input
# type. See further down in this file for examples.
# Then, use any of the following settings.
#
# To specify global settings for Windows Event Log inputs, place them in
# the [WinEventLog] global stanza as well as the [default] stanza.
############################################################################
host = <string>
* Sets the host key/field to a static value for this input stanza.
* The input uses this field during parsing and indexing. It also uses this
field at search time.
* As a convenience, the input prepends the chosen string with 'host::'.
* If set to '$decideOnStartup', sets the field to the hostname of executing
machine. This occurs on each splunkd startup.
* If you run multiple instances of the software on the same machine (hardware
or virtual machine), choose unique values for 'host' to differentiate
your data, ex. myhost-sh-1 or myhost-idx-2.
* Do not put the <string> value in quotes. Use host=foo, not host="foo".
* If you set 'host' to "$decideOnStartup", you can further control how splunkd
derives the hostname by using the 'hostnameOption' setting in server.conf.
* For example, if you want splunkd to use the fully qualified domain
name for the machine, set "host = $decideOnStartup" in inputs.conf and
"hostnameOption = fullyqualifiedname" in server.conf.
* More information on hostname options can be found in the server.conf
specification file.
* If you remove the 'host' setting from $SPLUNK_HOME/etc/system/local/inputs.conf
or remove $SPLUNK_HOME/etc/system/local/inputs.conf, the setting changes to
"$decideOnStartup". Apps that need a resolved host value should use the
'host_resolved' property in the response for the REST 'GET' call of the
input source. This property is set to the hostname of the local Splunk
instance. It is a read only property that is not written to inputs.conf.
* Default: "$decideOnStartup", but at installation time, the setup logic
adds the local hostname, as determined by DNS, to the
$SPLUNK_HOME/etc/system/local/inputs.conf default stanza, which is the
effective default value.
run_only_one= <boolean>
* Determines if a scripted or modular input runs on one search head
in a SHC.
* Currently not supported. This setting is related to a feature that is
still under development.
* Default: true
index = <string>
* Sets the index to store events from this input.
* Primarily used to specify the index to store events that come in through
this input stanza.
* Default: main (or whatever you have set as your default index)
source = <string>
* Sets the source key/field for events from this input.
* Detail: Sets the source key initial value. The key is used during
parsing/indexing, in particular to set the source field during
indexing. It is also the source field used at search time.
* As a convenience, the chosen string is prepended with 'source::'.
* Avoid overriding the source key. The input layer provides a more accurate
string to aid in problem analysis and investigation, recording the file
from which the data was retrieved. Consider using source types, tagging,
and search wildcards before overriding this value.
* Do not put the <string> value in quotes: Use source=foo,
not source="foo".
* Default: the input file path
sourcetype = <string>
* Sets the sourcetype key/field for events from this input.
* Explicitly declares the source type for this input instead of letting
it be determined through automated methods. This is important for
search and for applying the relevant configuration for this data type
during parsing and indexing.
* Sets the sourcetype key initial value. The key is used during
parsing or indexing to set the source type field during
indexing. It is also the source type field used at search time.
* As a convenience, the chosen string is prepended with 'sourcetype::'.
* Do not put the <string> value in quotes: Use sourcetype=foo,
not sourcetype="foo".
* If not set, the indexer analyzes the data and chooses a source type.
* No default.
queue = [parsingQueue|indexQueue]
* Sets the queue where the input processor should deposit the events it reads.
* Set to "parsingQueue" to apply the props.conf file and other parsing rules to
your data. For more information about the props.conf file and rules
timestamps and linebreaks, see the props.conf file and the
online documentation at http://docs.splunk.com/Documentation.
* Set to "indexQueue" to send your data directly into the index.
* Default: parsingQueue
# Pipeline Key defaulting.
* Pipeline keys in general can be defaulted in inputs stanzas.
* The list of user-available, modifiable pipeline keys is described in
transforms.conf.spec. See transforms.conf.spec for further information on
these keys.
* The currently-defined keys which are available literally in inputs stanzas
are as follows:
queue = <value>
_raw = <value>
_meta = <value>
_time = <value>
* Inputs have special support for mapping host, source, sourcetype, and index
to their metadata names such as host -> Metadata:Host
* Defaulting these values is not recommended, and is
generally only useful as a workaround to other product issues.
* Defaulting these keys in most cases will override the default behavior of
input processors, but this behavior is not guaranteed in all cases.
* Values defaulted here, as with all values provided by inputs, can be
altered by transforms at parse time.
############################################################################
# This section contains options for routing data using inputs.conf rather than
# outputs.conf.
#
# NOTE: concerning routing via inputs.conf:
# This is a simplified set of routing options you can use as data comes in.
# For more flexible options or details on configuring required or optional
# settings, see outputs.conf.spec.
############################################################################
_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...
* A comma-separated list of tcpout group names.
* This setting lets you selectively forward data to specific indexer(s).
* Specify the tcpout group that the forwarder should use when forwarding the data.
The tcpout group names are defined in outputs.conf with
[tcpout:<tcpout_group_name>].
* To forward data to all tcpout group names that have been defined in
outputs.conf, set to '*' (asterisk).
* To forward data from the "_internal" index, you must explicitly set '_TCP_ROUTING'
to either "*" or a specific splunktcp target group.
* Default: The groups specified in 'defaultGroup' in [tcpout] stanza in
outputs.conf file
_SYSLOG_ROUTING = <syslog_group_name>,<syslog_group_name>,<syslog_group_name>, ...
* A comma-separated list of syslog group names.
* Using this, you can selectively forward the data to specific destinations as
syslog events.
* Specify the syslog group to use when forwarding the data.
The syslog group names are defined in outputs.conf with
[syslog:<syslog_group_name>].
* The destination host must be configured in outputs.conf, using
"server=[<ip>|<servername>]:<port>".
* This setting does not work on a Universal Forwarder.
* Default: The groups present in "defaultGroup" in the [syslog] stanza in
outputs.conf file
_INDEX_AND_FORWARD_ROUTING = <string>
* Only has effect if you use the 'selectiveIndexing' feature in outputs.conf.
* If set for any input stanza, should cause all data coming from that input
stanza to be labeled with this setting.
* When 'selectiveIndexing' is in use on a forwarder:
* data without this label will not be indexed by that forwarder.
* data with this label will be indexed in addition to any forwarding.
* This setting does not actually cause data to be forwarded or not forwarded in
any way, nor does it control where the data is forwarded in multiple-forward
path cases.
* Default: not set
############################################################################
# Deny list
############################################################################
[blacklist:<path>]
* Protects files on the file system from being indexed or previewed.
* The input treats a file as denied if the file starts with any of the
defined deny list <paths>.
* Adding a file to the deny list with the specified path occurs even if a monitor
stanza defines an allow list that matches the file path.
* The preview endpoint returns an error when asked to preview an
excluded file.
* The oneshot endpoint and command also returns an error.
* When a denied file is monitored (monitor:// or batch://),
the 'filestatus' endpoint shows an error.
* For fschange with the 'sendFullEvent' option enabled, contents of
denied files are not indexed.
############################################################################
# Valid input types follow, along with their input-specific settings:
############################################################################
############################################################################
# MONITOR:
############################################################################
[monitor://<path>]
* Configures a file monitor input to watch all files in <path>.
* <path> can be an entire directory or a single file.
* You must specify the input type and then the path, so put three slashes in
your path if you are starting at the root on *nix systems (to include the
slash that indicates an absolute path).
# Additional settings:
host_regex = <regular expression>
* If specified, <regular expression> extracts host from the path to the file
for each input file.
* Detail: This feature examines the source key; if source is set
explicitly in the stanza, that string is matched, not the original
filename.
* Specifically, the first group of the regex is used as the host.
* If the regex fails to match, the default 'host' setting is used.
* If 'host_regex' and 'host_segment' are both set, the input ignores 'host_regex'.
* No default.
host_segment = <integer>
* If set to N, Splunk software sets the Nth "/"-separated segment of the path
as 'host'.
* For example, if host_segment=3 and the path is /logs/servers/host08/abc.txt,
the third segment, "host08", is used.
* If the value is not an integer or is less than 1, the default 'host'
setting is used.
* On Windows machines, the drive letter and colon before the backslash DOES NOT
count as one segment.
* For example, if you set host_segment=3 and the monitor path is
D:\logs\servers\host01, Splunk software sets the host as "host01" because
that is the third segment.
* No default.
whitelist = <regular expression>
* If set, files from this input are monitored only if their path matches the
specified regex.
* Takes precedence over the deprecated '_whitelist' setting, which functions
the same way.
* No default.
blacklist = <regular expression>
* If set, files from this input are NOT monitored if their path matches the
specified regex.
* Takes precedence over the deprecated '_blacklist' setting, which functions
the same way.
* If a file matches the regexes in both the deny list and allow list settings,
the file is NOT monitored. Deny lists take precedence over allow lists.
* No default.
Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
"..." for recursive directory matching and "*" for wildcard matching in a
single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
does not recurse. For example, /foo/*/bar matches the files
/foo/1/bar, /foo/2/bar, etc. However, it does not match
/foo/bar or /foo/1/2/bar.
A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
the bar directory within the specified path.
* A monitor stanza path will interpret regex metacharacters as strings unless
they are preceded by the wildcard values "*" or "..." in a prior
segment of the path.
crcSalt = <string>
* Use this setting to force the input to consume files that have matching CRCs
(cyclic redundancy checks).
* By default, the input only performs CRC checks against the first 256
bytes of a file. This behavior prevents the input from indexing the same
file twice, even though you might have renamed it, as with rolling log
files, for example. Because the CRC is based on only the first
few lines of the file, it is possible for legitimately different files
to have matching CRCs, particularly if they have identical headers.
* If set, <string> is added to the CRC.
* If set to the literal string "<SOURCE>" (including the angle brackets), the
full directory path to the source file is added to the CRC. This ensures
that each file being monitored has a unique CRC. When 'crcSalt' is invoked,
it is usually set to <SOURCE>.
* Be cautious about using this setting with rolling log files; it could lead
to the log file being re-indexed after it has rolled.
* In many situations, 'initCrcLength' can be used to achieve the same goals.
* Default: empty string
initCrcLength = <integer>
* How much of a file, in bytes, that the input reads before trying to
identify whether it is a file that has already been seen. You might want to
adjust this if you have many files with common headers (comment headers,
long CSV headers, etc) and recurring filenames.
* Cannot be less than 256 or more than 1048576.
* CAUTION: Improper use of this setting causes data to be re-indexed. You
might want to consult with Splunk Support before adjusting this value - the
default is fine for most installations.
* Default: 256 (bytes)
ignoreOlderThan = <non-negative integer>[s|m|h|d]
* The monitor input compares the modification time on files it encounters
with the current time. If the time elapsed since the modification time
is greater than the value in this setting, Splunk software puts the file
on the ignore list.
* Files on the ignore list are not checked again until the Splunk
platform restarts, or the file monitoring subsystem is reconfigured. This
is true even if the file becomes newer again at a later time.
* Reconfigurations occur when changes are made to monitor or batch
inputs through Splunk Web or the command line.
* Use 'ignoreOlderThan' to increase file monitoring performance when
monitoring a directory hierarchy that contains many older, unchanging
files, and when removing or adding a file to the deny list from the
monitoring location is not a reasonable option.
* Do NOT select a time that files you want to read could reach in
age, even temporarily. Take potential downtime into consideration!
* Suggested value: 14d, which means 2 weeks
* For example, a time window in significant numbers of days or small
numbers of weeks are probably reasonable choices.
* If you need a time window in small numbers of days or hours,
there are other approaches to consider for performant monitoring
beyond the scope of this setting.
* NOTE: Most modern Windows file access APIs do not update file
modification time while the file is open and being actively written to.
Windows delays updating modification time until the file is closed.
Therefore you might have to choose a larger time window on Windows
hosts where files may be open for long time periods.
* Value must be: <number><unit>. For example, "7d" indicates one week.
* Valid units are "d" (days), "h" (hours), "m" (minutes), and "s"
(seconds).
* No default, meaning there is no threshold and no files are
ignored for modification time reasons
followTail = <boolean>
* Whether or not the input should skip past current data in a monitored file
for a given input stanza. This lets you skip over data in files, and
immediately begin indexing current data.
* If you set to "1", monitoring starts at the end of the file (like
*nix 'tail -f'). The input does not read any data that exists in
the file when it is first encountered. The input only reads data that
arrives after the first encounter time.
* If you set to "0", monitoring starts at the beginning of the file.
* This is an advanced setting. Contact Splunk Support before using it.
* Best practice for using this setting:
* Enable this setting and start the Splunk instance.
* Wait enough time for the input to identify the related files.
* Disable the setting and restart the instance.
* Do not leave 'followTail' enabled in an ongoing fashion.
* Do not use 'followTail' for rolling log files (log files that get renamed as
they age) or files whose names or paths vary.
* Default: 0
alwaysOpenFile = <boolean>
* Opens a file to check whether it has already been indexed, by skipping the
modification time/size checks.
* Only useful for files that do not update modification time or size.
* Only known to be needed when monitoring files on Windows, mostly for
Internet Information Server logs.
* Configuring this setting to "1" can increase load and slow indexing. Use it
only as a last resort.
* Default: 0
time_before_close = <integer>
* The amount of time, in seconds, that the file monitor must wait for
modifications before closing a file after reaching an End-of-File
(EOF) marker.
* Tells the input not to close files that have been updated in the
past 'time_before_close' seconds.
* Default: 3
multiline_event_extra_waittime = <boolean>
* By default, the file monitor sends an event delimiter when:
* It reaches EOF of a file it monitors and
* The last character it reads is a newline.
* In some cases, it takes time for all lines of a multiple-line event to
arrive.
* Set to "true" to delay sending an event delimiter until the time that the
file monitor closes the file, as defined by the 'time_before_close' setting,
to allow all event lines to arrive.
* Default: false
recursive = <boolean>
* Whether or not the input monitors subdirectories that it finds within a
monitored directory.
* If you set this setting to "false", the input does not monitor sub-directories
* Default: true
followSymlink = <boolean>
* Whether or not to follow any symbolic links within a monitored directory.
* If you set this setting to "false", the input ignores symbolic links
that it finds within a monitored directory.
* If you set the setting to "true", the input follows symbolic links
and monitors files at the symbolic link destination.
* Additionally, any allow lists or deny lists that the input stanza defines
also apply to files at the symbolic link destination.
* Default: true
_whitelist = ...
* DEPRECATED.
* This setting is valid unless the 'whitelist' setting also exists.
_blacklist = ...
* DEPRECATED.
* This setting is valid unless the 'blacklist' setting also exists.
############################################################################
# BATCH ("Upload a file" in Splunk Web):
############################################################################
Use the 'batch' input for large archives of historic data. If you
want to continuously monitor a directory or index small archives, use 'monitor'
(see above). 'batch' reads in the file and indexes it, and then deletes the
file on disk.
[batch://<path>]
* A one-time, destructive input of files in <path>.
* This stanza must include the 'move_policy = sinkhole' setting.
* This input reads and indexes the files, then DELETES THEM IMMEDIATELY.
* For continuous, non-destructive inputs of files, use 'monitor' instead.
# Additional settings:
move_policy = sinkhole
* This setting is required. You *must* include "move_policy = sinkhole"
when you define batch inputs.
* This setting causes the input to load the file destructively.
* CAUTION: Do not use the 'batch' input type for files you do not want to
delete after indexing.
* The 'move_policy' setting exists for historical reasons, but remains as a
safeguard. As an administrator, you must explicitly declare
that you want the data in the monitored directory (and its sub-directories) to
be deleted after being read and indexed.
host_regex = see MONITOR, above.
host_segment = see MONITOR, above.
crcSalt = see MONITOR, above.
time_before_close = see MONITOR, above.
log_on_completion = <boolean>
* When set to false, this setting prevents Splunk software from logging to
splunkd.log when it indexes files with this input.
* Default: true
# 'batch' inputs do not use the following setting:
# source = <string>
followSymlink = <boolean>
* Works similarly to the same setting for monitor, but does not delete files
after following a symbolic link out of the monitored directory.
# The following settings work identically as for [monitor::] stanzas,
# documented above
host_regex = <regular expression>
host_segment = <integer>
crcSalt = <string>
recursive = <boolean>
whitelist = <regular expression>
blacklist = <regular expression>
initCrcLength = <integer>
time_before_close = <integer>
############################################################################
# TCP:
############################################################################
[tcp://<remote server>:<port>]
* Configures the input to listen on a specific TCP network port.
* If a <remote server> makes a connection to this instance, the input uses this
stanza to configure itself.
* If you do not specify <remote server>, this stanza matches all connections
on the specified port.
* Generates events with source set to "tcp:<port>", for example: tcp:514
* If you do not specify a sourcetype, generates events with sourcetype
set to "tcp-raw".
# Additional settings:
connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for the IP address of the system
sending the data.
* "none" leaves the host as specified in inputs.conf, typically the Splunk
system hostname.
* Default: dns
queueSize = <integer>[KB|MB|GB]
* The maximum size of the in-memory input queue.
* Default: 500KB
persistentQueueSize = <integer>[KB|MB|GB|TB]
* Maximum size of the persistent queue file.
* Persistent queues can help prevent loss of transient data. For information on
persistent queues and how the 'queueSize' and 'persistentQueueSize' settings
interact, search the online documentation for "persistent queues".
* If you set this to a value other than 0, then 'persistentQueueSize' must
be larger than either the in-memory queue size (as defined by the 'queueSize'
setting in inputs.conf or 'maxSize' settings in [queue] stanzas in
server.conf).
* Default: 0 (no persistent queue)
requireHeader = <boolean>
* Whether or not to require a header be present at the beginning of every
stream.
* This header can be used to override indexing settings.
* Default: false
listenOnIPv6 = [no|yes|only]
* Whether or not the input listens on IPv4, IPv6, or both
* Set to 'yes' to listen on both IPv4 and IPv6 protocols.
* Set to 'only' to listen on only the IPv6 protocol.
* Default: The setting in the [general] stanza of the server.conf file
acceptFrom = <network_acl> ...
* Lists a set of networks or addresses from which to accept connections.
* Separate multiple rules with commas or spaces.
* Each rule can be in one of the following formats:
1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
2. A Classless Inter-Domain Routing (CIDR) block of addresses
(examples: "10/8", "192.168.1/24", "fe80:1234/32")
3. A DNS name, possibly with a "*" used as a wildcard
(examples: "myhost.example.com", "*.splunk.com")
4. "*", which matches anything
* You can also prefix an entry with '!' to cause the rule to reject the
connection. The input applies rules in order, and uses the first one that
matches.
For example, "!10.1/16, *" allows connections from everywhere except
the 10.1.*.* network.
* Default: "*" (accept from anywhere)
rawTcpDoneTimeout = <seconds>
* The amount of time, in seconds, that a network connection can remain idle
before Splunk software declares that the last event over that connection
has been received.
* If a connection over this port remains idle for more than
'rawTcpDoneTimeout' seconds after receiving data, it adds a Done-key. This
declares that the last event has been completely received.
* Default: 10
[tcp:<port>]
* Configures the input listen on the specified TCP network port.
* This stanza is similar to [tcp://<remote server>:<port>], but listens for
connections to the specified port from any host.
* Generates events with a source of tcp:<port>.
* If you do not specify a sourcetype, generates events with a source type of
tcp-raw.
* This stanza supports the following settings:
connection_host = [ip|dns|none]
queueSize = <integer>[KB|MB|GB]
persistentQueueSize = <integer>[KB|MB|GB|TB]
requireHeader = <boolean>
listenOnIPv6 = [no|yes|only]
acceptFrom = <network_acl> ...
rawTcpDoneTimeout = <integer>
############################################################################
# Data distribution:
############################################################################
# Global settings for splunktcp. Used on the receiving side for data forwarded
# from a forwarder.
[splunktcp]
route = [has_key|absent_key:<key>:<queueName>;...]
* Settings for the light forwarder.
* The receiver sets these parameters automatically -- you do not need to set
them yourself.
* The property route is composed of rules delimited by ';' (semicolon).
* The receiver checks each incoming data payload through the cooked TCP port
against the route rules.
* If a matching rule is found, the receiver sends the payload to the specified
<queueName>.
* If no matching rule is found, the receiver sends the payload to the default
queue specified by any queue= for this stanza. If no queue= key is set in
the stanza or globally, the receiver sends the events to the parsingQueue.
enableS2SHeartbeat = <boolean>
* Specifies the global keepalive setting for all splunktcp ports.
* This option is used to detect forwarders which might have become unavailable
due to network, firewall, or other problems.
* The receiver monitors each connection for presence of a heartbeat, and if the
heartbeat is not seen for 's2sHeartbeatTimeout' seconds, it closes the
connection.
* Default: true (heartbeat monitoring enabled)
s2sHeartbeatTimeout = <seconds>
* The amount of time, in seconds, that a receiver waits for heartbeats from
forwarders that connect to this instance.
* The receiver closes a forwarder connection if it does not receive
a heartbeat for 's2sHeartbeatTimeout' seconds.
* Default: 600 (10 minutes)
inputShutdownTimeout = <seconds>
* The amount of time, in seconds, that a receiver waits before shutting down
inbound TCP connections after it receives a signal to shut down.
* Used during shutdown to minimize data loss when forwarders are connected to a
receiver.
* During shutdown, the TCP input processor waits for 'inputShutdownTimeout'
seconds and then closes any remaining open connections.
* If all connections close before the end of the timeout period,
shutdown proceeds immediately, without waiting for the timeout.
stopAcceptorAfterQBlock = <seconds>
* Specifies the time, in seconds, to wait before closing the splunktcp port.
* If the receiver is unable to insert received data into the configured queue
for more than the specified number of seconds, it closes the splunktcp port.
* This action prevents forwarders from establishing new connections to this
receiver.
* Forwarders that have an existing connection will notice the port is closed
upon test-connections and move to other receivers.
* Once the queue unblocks, and TCP Input can continue processing data, the
receiver starts listening on the port again.
* This setting should not be adjusted lightly as extreme values can interact
poorly with other defaults.
* Note: If there are multiple tcp/splunktcp listener ports configured,
all listening ports will be shutdown regardless of whether other queues are
blocked or not.
* Default: 300 (5 minutes)
listenOnIPv6 = no|yes|only
* Select whether this receiver listens on IPv4, IPv6, or both protocols.
* Set this to 'yes' to listen on both IPv4 and IPv6 protocols.
* Set to 'only' to listen on only the IPv6 protocol.
* If not present, the input uses the setting in the [general] stanza
of server.conf.
acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
3. A DNS name, possibly with a "*" used as a wildcard (examples:
"myhost.example.com", "*.splunk.com")
4. "*", which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
connection.
* The input applies rules in order, and uses the first one that matches.
For example, "!10.1/16, *" allows connections from everywhere
except the 10.1.*.* network.
* Default: "*" (accept from anywhere)
negotiateProtocolLevel = <unsigned integer>
* If set, lets forwarders that connect to this receiver (or specific port)
send data using only up to the specified feature level of the Splunk
forwarder protocol.
* If set to a value that is lower than the default, denies the use
of newer forwarder protocol features during connection negotiation. This
might impact indexer efficiency.
* Default (if 'negotiateNewProtocol' is "true"): 1
* Default (if 'negotiateNewProtocol' is not "true"): 0
negotiateNewProtocol = <boolean>
* Controls the default configuration of the 'negotiateProtocolLevel' setting.
* DEPRECATED.
* Use the 'negotiateProtocolLevel' instead.
* Default: true
concurrentChannelLimit = <unsigned integer>
* The number of unique channel codes that are available for forwarders to
use to communicate with an indexer.
* Each forwarder that connects to this indexer may use up to
'concurrentChannelLimit' unique channel codes.
* In other words, each forwarder may have up to 'concurrentChannelLimit'
channels in flight concurrently.
* The receiver closes a forwarder connection if a forwarder attempts to
exceed this value.
* This setting only applies when the new forwarder protocol is in use.
* Default: 300
# Forwarder-specific settings for splunktcp.
[splunktcp://[<remote server>]:<port>]
* Receivers use this input stanza.
* This is the same as the [tcp://] stanza, except the remote server is assumed
to be a Splunk instance, most likely a forwarder.
* <remote server> is optional. If you specify it, the receiver only listen for
data from <remote server>.
* Use of <remote server is not recommended. Use the 'acceptFrom' setting,
which supersedes this setting.
connection_host = [ip|dns|none]
* For splunktcp, the 'host' or 'connection_host' is be used if the remote
Splunk instance does not set a host, or if the host is set to
"<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
sending the data.
* "none" leaves the host as specified in inputs.conf, typically the Splunk
system hostname.
* Default: ip
compressed = <boolean>
* Whether or not the receiver communicates with the forwarder in
compressed format.
* Applies to non-Secure Sockets Layer (SSL) receiving only. There is no
compression setting required for SSL.
* If set to "true", the receiver communicates with the forwarder in
compressed format.
* If set to "true", there is no longer a requirement to also set
"compressed = true" in the outputs.conf file on the forwarder.
* Default: false
enableS2SHeartbeat = <boolean>
* Specifies the keepalive setting for the splunktcp port.
* This option is used to detect forwarders which might have become unavailable
due to network, firewall, or other problems.
* The receiver monitors the connection for presence of a heartbeat, and if it
does not see the heartbeat in 's2sHeartbeatTimeout' seconds, it closes the
connection.
* This overrides the default value specified at the global [splunktcp] stanza.
* Default: true (heartbeat monitoring enabled)
s2sHeartbeatTimeout = <integer>
* The amount of time, in seconds, that a receiver waits for heartbeats from
forwarders that connect to this instance.
* The receiver closes the forwarder connection if it does not see a heartbeat
for 's2sHeartbeatTimeout' seconds.
* This overrides the default value specified at the global [splunktcp] stanza.
* Default: 600 (10 minutes)
queueSize = <integer>[KB|MB|GB]
* The maximum size of the in-memory input queue.
* Default: 500KB
negotiateProtocolLevel = <unsigned integer>
* See the description for this setting in the [splunktcp] stanza.
negotiateNewProtocol = <boolean>
* See the description for this setting in the [splunktcp] stanza.
concurrentChannelLimit = <unsigned integer>
* See the description for this setting in the [splunktcp] stanza.
[splunktcp:<port>]
* This input stanza is the same as [splunktcp://[<remote server>]:<port>], but
accepts connections from any server.
* See the online documentation for [splunktcp://[<remote server>]:<port>] for
more information on the following supported settings:
connection_host = [ip|dns|none]
compressed = <boolean>
enableS2SHeartbeat = <boolean>
s2sHeartbeatTimeout = <integer>
queueSize = <integer>[KB|MB|GB]
negotiateProtocolLevel = <unsigned integer>
negotiateNewProtocol = <boolean>
concurrentChannelLimit = <unsigned integer>
# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
token on forwarders.
* The receiver discards data from forwarders that do not have the
token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.
* NOTE: When specifying a <token name>, you must use a specific format,
as follows: NNNNNNNN-NNNN-NNNN-NNNN-NNNNNNNNNNNN. Failure to use this
format results in the token being ignored.
* For example, 'A843001F-B2B5-4F94-847D-D07802685BB2'
token = <string>
* Value of the token.
* Must be in the format NNNNNNNN-NNNN-NNNN-NNNN-NNNNNNNNNNNN. Failure to
use this string format results in the token being ignored.
# SSL settings for data distribution:
[splunktcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, parsed data from a
forwarder.
* Set <port> to the port on which the forwarder sends the encrypted data.
* Forwarder settings are set in outputs.conf on the forwarder.
* Compression for SSL is enabled by default. On the forwarder you can still
specify compression with the 'useClientSSLCompression' setting in
outputs.conf.
* The 'compressed' setting is used for non-SSL connections. However, if you
still specify 'compressed' for SSL, ensure that the 'compressed' setting is
the same as on the forwarder, as splunktcp protocol expects the same
'compressed' setting from forwarders.
connection_host = [ip|dns|none]
* For splunktcp, the host or connection_host is used if the remote Splunk
instance does not set a host, or if the host is set to "<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
sending the data.
* "none" leaves the host as specified in inputs.conf, typically the Splunk
system hostname.
* Default: ip
compressed = <boolean>
* See the description for this setting in the [splunktcp:<port>] stanza.
enableS2SHeartbeat = <boolean>
* See the description for this setting in the [splunktcp:<port>] stanza.
s2sHeartbeatTimeout = <seconds>
* See the description for this setting in the [splunktcp:<port>] stanza.
listenOnIPv6 = [no|yes|only]
* Select whether this receiver listens on IPv4, IPv6, or both protocols.
* Set to "yes" to listen on both IPv4 and IPv6 protocols.
* Set to "only" to listen on only the IPv6 protocol.
* Default: The setting in the [general] stanza of the server.conf file
acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
3. A DNS name, possibly with a "*" used as a wildcard (examples:
"myhost.example.com", "*.splunk.com")
4. "*", which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
connection. The input applies rules in order, and uses the first one that
matches. For example, "!10.1/16, *" allows connections from everywhere except
the 10.1.*.* network.
* Default: "*" (accept from anywhere)
negotiateProtocolLevel = <unsigned integer>
* See the description for this setting in the [splunktcp] stanza.
negotiateNewProtocol = <boolean>
* See the description for this setting in the [splunktcp] stanza.
concurrentChannelLimit = <unsigned integer>
* See the description for this setting in the [splunktcp] stanza.
# To specify global ssl settings, that are applicable for all ports, add the
# settings to the SSL stanza.
# Specify any ssl setting that deviates from the global setting here.
# For a detailed description of each ssl setting, refer to the [SSL] stanza.
serverCert = <path>
sslPassword = <password>
requireClientCert = <boolean>
sslVersions = <string>
cipherSuite = <cipher suite string>
ecdhCurves = <comma separated list of ec curves>
dhFile = <path>
allowSslRenegotiation = <boolean>
sslQuietShutdown = <boolean>
sslCommonNameToCheck = <commonName1>, <commonName2>, ...
sslAltNameToCheck = <alternateName1>, <alternateName2>, ...
useSSLCompression = <boolean>
[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a
forwarder or third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending
unparsed, encrypted data.
* To create multiple SSL inputs, you can add the following attributes to each
[tcp-ssl:<port>] input stanza. If you do not configure a certificate in the
port, the certificate information is pulled from the default [SSL] stanza:
* serverCert = <path_to_cert>
* sslRootCAPath = <path_to_cert> Only add this setting if you
have not configured the 'sslRootCAPath' setting in server.conf.
* sslPassword = <password>
listenOnIPv6 = [no|yes|only]
* Select whether the receiver listens on IPv4, IPv6, or both protocols.
* Set to "yes" to listen on both IPv4 and IPv6 protocols.
* Set to "only" to listen on only the IPv6 protocol.
* If not present, the receiver uses the setting in the [general] stanza
of server.conf.
acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
3. A DNS name, possibly with a '*' used as a wildcard (examples:
"myhost.example.com", "*.splunk.com")
4. A single '*', which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
connection. The input applies rules in order, and uses the first one that
matches. For example, "!10.1/16, *" allows connections from everywhere except
the 10.1.*.* network.
* Default: "*" (accept from anywhere)
# To specify global ssl settings, that are applicable for all ports, add the
# settings to the SSL stanza.
# Specify any ssl setting that deviates from the global setting here.
# For a detailed description of each ssl setting, refer to the [SSL] stanza.
serverCert = <path>
sslPassword = <password>
requireClientCert = <boolean>
sslVersions = <string>
cipherSuite = <cipher suite string>
ecdhCurves = <comma separated list of ec curves>
dhFile = <path>
allowSslRenegotiation = <boolean>
sslQuietShutdown = <boolean>
sslCommonNameToCheck = <commonName1>, <commonName2>, ...
sslAltNameToCheck = <alternateName1>, <alternateName2>, ...
useSSLCompression = <boolean>
[SSL]
* Set the following specifications for receiving Secure Sockets Layer (SSL)
communication underneath this stanza name.
serverCert = <path>
* The full path to the server certificate Privacy-Enhanced Mail (PEM)
format file.
* PEM is the most common text-based storage format for SSL certificate files.
* No default.
sslPassword = <string>
* The server certificate password, if it exists.
* Initially set to plain-text password.
* Upon first use, the input encrypts and rewrites the password to
$SPLUNK_HOME/etc/system/local/inputs.conf.
password = <string>
* DEPRECATED.
* Do not use this setting. Use the 'sslPassword' setting instead.
rootCA = <path>
* DEPRECATED.
* Do not use this setting. Use 'server.conf/[sslConfig]/sslRootCAPath' instead.
* Used only if 'sslRootCAPath' is not set.
* The <path> must refer to a PEM format file containing one or more root CA
certificates concatenated together.
requireClientCert = <boolean>
* Determines whether a client must present an SSL certificate to authenticate.
* Default: false (if using self-signed and third-party certificates)
* Default: true (if using the default certificates, overrides the existing
"false" setting)
sslVersions = <string>
* A comma-separated list of SSL versions to support.
* The versions available are "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions. The version "tls"
selects all versions that begin with "tls".
* To remove a version from the list, prefix it with "-".
* SSLv2 is always disabled. Specifying "-ssl2" in the version list has
no effect.
* When configured in Federal Information Processing Standard (FIPS) mode, the
"ssl3" version is always disabled, regardless of this configuration.
* The default can vary. See the 'sslVersions' setting in
$SPLUNK_HOME/etc/system/default/inputs.conf for the current default.
supportSSLV3Only = <boolean>
* DEPRECATED.
* SSLv2 is now always disabled.
* Use the 'sslVersions' setting to set the list of supported SSL versions.
cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* Must specify 'dhFile' to enable any Diffie-Hellman ciphers.
* The default can vary. See the 'cipherSuite' setting in
$SPLUNK_HOME/etc/system/default/inputs.conf for the current default.
ecdhCurveName = <string>
* DEPRECATED.
* Use the 'ecdhCurves' setting instead.
* This setting specifies the Elliptic Curve Diffie-Hellman (ECDH) curve to
use for ECDH key negotiation.
* Splunk software only supports named curves that have been specified
by their SHORT name.
* The list of valid named curves by their short and long names