メインコンテンツまでスキップ

Inputs

host = <string>

  • Sets the host key/field to a static value for this input stanza.

  • The input uses this field during parsing and indexing. It also uses this
    field at search time.

  • As a convenience, the input prepends the chosen string with 'host::'.

  • If set to '$decideOnStartup', sets the field to the hostname of executing
    machine. This occurs on each splunkd startup.

  • If you run multiple instances of the software on the same machine (hardware
    or virtual machine), choose unique values for 'host' to differentiate
    your data, ex. myhost-sh-1 or myhost-idx-2.

  • Do not put the <string> value in quotes. Use host=foo, not host="foo".

  • If you set 'host' to "$decideOnStartup", you can further control how splunkd
    derives the hostname by using the 'hostnameOption' setting in server.conf.

    • For example, if you want splunkd to use the fully qualified domain
      name for the machine, set "host = $decideOnStartup" in inputs.conf and
      "hostnameOption = fullyqualifiedname" in server.conf.
    • More information on hostname options can be found in the server.conf
      specification file.

  • If you remove the 'host' setting from $SPLUNK_HOME/etc/system/local/inputs.conf
    or remove $SPLUNK_HOME/etc/system/local/inputs.conf, the setting changes to
    "$decideOnStartup". Apps that need a resolved host value should use the
    'host_resolved' property in the response for the REST 'GET' call of the
    input source. This property is set to the hostname of the local Splunk
    instance. It is a read only property that is not written to inputs.conf.

  • Default: "$decideOnStartup", but at installation time, the setup logic
    adds the local hostname, as determined by DNS, to the
    $SPLUNK_HOME/etc/system/local/inputs.conf default stanza, which is the
    effective default value.

    host名の指定。

index = <string>

  • Sets the index to store events from this input.
  • Primarily used to specify the index to store events that come in through
    this input stanza.
  • Default: "main" (or whatever you have set as your default index).

取り込み先indexの指定

sourcetype = <string>

  • Sets the sourcetype key/field for events from this input.
  • Explicitly declares the source type for this input instead of letting
    it be determined through automated methods. This is important for
    search and for applying the relevant configuration for this data type
    during parsing and indexing.
  • Sets the sourcetype key initial value. The key is used during
    parsing or indexing to set the source type field during
    indexing. It is also the source type field used at search time.
  • As a convenience, the chosen string is prepended with 'sourcetype::'.
  • Do not put the <string> value in quotes: Use sourcetype=foo,
    not sourcetype="foo".
  • If not set, the indexer analyzes the data and chooses a source type.
  • No default.

sourcetypeの指定

crcSalt = <string>

  • Use this setting to force the input to consume files that have matching CRCs
    (cyclic redundancy checks).
    • By default, the input only performs CRC checks against the first 256
      bytes of a file. This behavior prevents the input from indexing the same
      file twice, even though you might have renamed it, as with rolling log
      files, for example. Because the CRC is based on only the first
      few lines of the file, it is possible for legitimately different files
      to have matching CRCs, particularly if they have identical headers.
  • If set, <string> is added to the CRC.
  • If set to the literal string "<SOURCE>" (including the angle brackets), the
    full directory path to the source file is added to the CRC. This ensures
    that each file being monitored has a unique CRC. When 'crcSalt' is invoked,
    it is usually set to <SOURCE>.
  • Be cautious about using this setting with rolling log files; it could lead
    to the log file being re-indexed after it has rolled.
  • In many situations, 'initCrcLength' can be used to achieve the same goals.
  • Default: empty string

ファイルの先頭256BytesをCRCチェックすることで、
ローテーションされたファイルなどの同一ファイルを2重取り込みしないようにする。
フィールドに<SOURCE>という文字列を記載した場合、ファイルパスを含めてCRCチェックを行う。
’initCrcLength’の値を用いて、CRCチェックに使うBytes数を変更できる。

initCrcLength = <integer>

  • How much of a file, in bytes, that the input reads before trying to
    identify whether it is a file that has already been seen. You might want to
    adjust this if you have many files with common headers (comment headers,
    long CSV headers, etc) and recurring filenames.
  • Cannot be less than 256 or more than 1048576.
  • CAUTION: Improper use of this setting causes data to be re-indexed. You
    might want to consult with Splunk Support before adjusting this value - the
    default is fine for most installations.
  • Default: 256 (bytes)

CRCチェックに用いるBytes数を指定する。