Splunk Data Onboarding Cheatsheet

1 minute read

Even the biggest, baddest Splunk infrastructure is useless without data. But, the way that you bring that data into your Splunk instance can be key to keeping Splunk neat, tidy, and humming along at peak performance.

There are a lot of different knobs and levers to be adjusted when adding data to Splunk, and they can make a big difference. For example, specifying a line breaker, turning off Line merging, and adjusting how Splunk looks for time (telling it rather than leaving it to guess), can lead to a 4x indexing performance improvement.

The key settings when onboarding data into Splunk, via props.conf, are:

  • TIME_PREFIX

  • TIME_FORMAT

  • MAX_TIMESTAMP_LOOKAHEAD

  • SHOULD_LINEMERGE

  • LINEBREAKER

  • TRUNCATE

With so many different settings and formats, not to mention other activity like configuring index-time operations (sourcetype, host, and index overwrites), and search-time operations (field extractions, field aliases, and lookups), I created a cheat sheet to help aid my memory. After a while of using it, I decided it needed a little more information. So…I created a version 2!

Download the Printable Desktop Reference: Splunk Data Onboarding Cheat Sheet

As an added bonus, I added a quick “how-to” on getting data to conform to the Splunk Common Information Model. By conforming to the CIM, you can make sure that your data is ready for Splunk Apps, like the Splunk App for Enterprise Security or other community apps which make use of the CIM, data models, and data model acceleration.

We’ll be posting more in the future on the Splunk Data Onboarding Process, so keep checking back! In the meantime, here are some other great links on getting data into Splunk:

We will also be handing these out at conf2016! So, if you see us, feel free to ask!

Updated: