Splunk data input configuration fields

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Splunk Data Input Configuration Fields

This document outlines the configuration fields for setting up data inputs in Splunk, specifically for ServiceNow customers. It provides essential details to help configure log streaming correctly and efficiently.

Show full answer Show less

Key Features

Data Input Name: Required field to specify the name of the new data input.
Description: Allows you to describe the data input for better identification.
MID Server: Select the MID Server for log streaming; only those supporting basic authentication are available. The default limit is 10 data inputs per MID Server but can be adjusted.
Port: Required configuration to specify the port for the MID Server. Ensure it is opened by your organization's security team.
Transport Protocol: Choose between TCP (default) for guaranteed delivery or UDP for non-blocking streaming, understanding the trade-offs regarding data integrity.
Use Cooked Data: Option to ingest logs in a preprocessed format retaining contextual information, eliminating the need for additional configuration files.
Use Forwarder TimeZone: Passes forwarder time zone information to the MID Server for accurate log timestamps.
Enable Compression: Compress log data during transfer to reduce size, applicable only with SSL/TLS enabled.

Advanced Configuration

Use SSL/TLS: Mandatory for compressed log transfer; enhances security.
Look up Hostnames: Option for DNS resolution of IPs (default: false).
Thread Counts: Manage connections (1 boss thread) and handle incoming data (4 worker threads).
Read Timeout: Closes channel after 30 seconds of inactivity.
Default Timezone: GMT is used when logs lack a specified time zone.
Sub Sample Ratios: Control event drop (default -1) and receive ratios (default -1).
Max Length: Limits log message size to 32,766 bytes.
Character Encoding: Set to UTF-8 for encoding data input.
Drop if Queue is Full: Discards logs when the MID Server is under load.

Key Outcomes

By accurately configuring these fields, ServiceNow customers can streamline their log data ingestion process, ensuring reliable log management while maintaining necessary security and performance standards. This setup facilitates effective monitoring and analysis of log data within their ServiceNow instance.

Description of the fields on the Splunk data input configuration form.

Basic configuration

Table 1. Getting Started tab
Field	Description
Data input name	Name of the new data input. This field is required.
Description	Description of the data input.
MID Server	The MID Server to which the logs stream. Note: You can select only MID Servers that support basic authentication. MID Servers that support mTLS are not listed. The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties. This field is required.
Port	The port for the MID Server. Make sure that your organization’s security team opens the selected port in the MID Server. This field is required.
Transport Protocol	The protocol used for streaming log messages to your ServiceNow instance. TCP - When using the Transmission Control Protocol (TCP) protocol, all logs will reach the instance. However, the Splunk pipeline might be blocked if the MID Server is down or the connection to it is lost. TCP is the default transport protocol. UDP - When using the User Datagram Protocol (UDP) protocol, the Splunk pipeline will never be blocked. However, some logs might be dropped before they reach the instance. For more information about streaming log data using the TCP or UCP transport protocol, see the Streaming Splunk data using Heavy Forwarder: Selecting TCP or UDP [KB0998928] article in the Now Support Knowledge Base.
Use Cooked Data	Option to ingest log data from Splunk in the preprocessed ("cooked") format that Splunk uses on the forwarder. Ingesting data into HLA in this format ensures that each log line retains the relevant contextual information that Splunk embeds into it. Note: If you select this option, there is no need to edit the props.conf and transforms.conf files during Splunk data input configuration.
Use Forwarder TimeZone	Option to pass information about the time zone in which the forwarder is located. The MID Server uses this information to adjust for the time zone from which the logs arrive. This option is relevant when using Splunk Universal Forwarders.
Enable Compression	Option to send logs in compressed format. Sending logs in a compressed format minimizes the size of the data being transferred, which is important when dealing with large volumes of log data. This option is relevant when using Splunk Universal Forwarders and can only be used when SSL/TLS is enabled.

Advanced configuration

Table 2. Advanced configuration form
Field	Description	Default values
Use SSL/TLS	Option to use SSL/TLS. Note: To send logs in a compressed format, SSL/TLS must be enabled.
Look up hostnames	Option to perform DNS lookup to resolve IPs to hostnames.	false
Boss thread count	The number of threads that manage connections.	1
Worker thread count	The number of threads that handle incoming data.	4
Read timeout seconds	The timeout in seconds since the last read. When the timeout expires, the system closes the channel.	30
Default timezone	The default time zone of events. The system uses this default when the log does not specify a time zone.	GMT
Sub sample drop ratio	The ratio of events to drop.	-1
Sub sample receive ratio	The ratio of events to receive.	-1
Max length in bytes	The maximum length of log messages in bytes.	32766
Character encoding	The character encoding for this data input.	UTF-8
Drop if queue is full	Option to discard logs if there is a load on the MID Server.