Splunk data input configuration fields
Summarize
Summary of Splunk Data Input Configuration Fields
This document outlines the configuration fields for setting up data inputs in Splunk, specifically focusing on the necessary settings for effective log streaming to a ServiceNow instance. Understanding these fields enables ServiceNow customers to efficiently manage data inputs and ensure secure and reliable log transmission.
Show less
Key Features
- Data Input Name: Required field for naming the new data input.
- Description: Provides a description of the data input.
- MID Server: Specifies the MID Server for log streaming; basic authentication servers only.
- Port: Designates the port for the MID Server, which must be opened by the security team.
- Transport Protocol: Choose between TCP (reliable but may block if the MID Server is down) or UDP (faster but may drop logs).
Advanced Configuration
- Use SSL/TLS: Option to secure data transmission.
- Look Up Hostnames: Option to perform DNS resolution for IPs.
- Boss Thread Count: Number of threads managing connections (default is 1).
- Worker Thread Count: Number of threads handling incoming data (default is 4).
- Read Timeout Seconds: Duration before the system closes the channel due to inactivity (default is 30 seconds).
- Default Timezone: Specifies the time zone for events (default is GMT).
- Sub Sample Drop Ratio: Determines the ratio of events to discard (-1 means no drop).
- Max Length in Bytes: Sets the maximum byte length for log messages (default is 32766).
- Character Encoding: Specifies the encoding for the data input (default is UTF-8).
- Drop if Queue is Full: Option to discard logs when the MID Server is under load.
Key Outcomes
By configuring these fields correctly, ServiceNow customers can ensure optimal performance and reliability of log data streaming from Splunk, enabling better monitoring and analysis of their IT operations.
Description of the fields on the Splunk data input configuration form.
Basic configuration
| Field | Description |
|---|---|
| Data input name | Name of the new data input. This field is required. |
| Description | Description of the data input. |
| MID Server | The MID Server to which the logs stream. Note: This field is required.
|
| Port | The port for the MID Server. Make sure that your organization’s security team opens the selected port in the MID Server. This field is required. |
| Transport Protocol | The protocol used for streaming log messages to your ServiceNow instance.
For more information about streaming log data using the TCP or UCP transport protocol, see the Streaming Splunk data using Heavy Forwarder: Selecting TCP or UDP [KB0998928] article in the Now Support Knowledge Base. |
Advanced configuration
| Field | Description | Default values |
|---|---|---|
| Use SSL/TLS | Option for selecting to use SSL/TLS. | |
| Look up hostnames | Option for selecting to perform DNS lookup to resolve IPs to hostnames. | false |
| Boss thread count | The number of threads that manage connections. | 1 |
| Worker thread count | The number of threads that handle incoming data. | 4 |
| Read timeout seconds | The timeout in seconds since the last read. When the timeout expires, the system closes the channel. | 30 |
| Default timezone | The default time zone of events. The system uses this default when the log does not specify a time zone. | GMT |
| Sub sample drop ratio | The ratio of events to drop. | -1 |
| Sub sample receive ratio | The ratio of events to receive. | -1 |
| Max length in bytes | The maximum length of log messages in bytes. | 32766 |
| Character encoding | The character encoding for this data input. | UTF-8 |
| Drop if queue is full | Option for selecting to discard logs if there is a load on the MID Server. |