Splunk data input configuration fields
Summarize
Summary of Splunk Data Input Configuration Fields
This guide provides details on the configuration fields used in the Splunk data input form, essential for setting up data streaming from Splunk to your ServiceNow instance. Proper configuration ensures efficient log management and system performance.
Show less
Key Features
- Data Input Name: Required field for naming the data input.
- Description: A field for detailing the purpose of the data input.
- MID Server: Select a MID Server that supports basic authentication for log streaming, with a maximum of 10 data inputs per server.
- Port: Specify the port for the MID Server, ensuring it's opened by the security team.
- Transport Protocol: Choose between TCP (reliable but can block if the MID Server is down) and UDP (faster but may drop logs).
Advanced Configuration
- Use SSL/TLS: Option to enable secure data transmission.
- Look Up Hostnames: Option to resolve IP addresses to hostnames (default: false).
- Boss Thread Count: Number of threads managing connections (default: 1).
- Worker Thread Count: Number of threads handling incoming data (default: 4).
- Read Timeout Seconds: Timeout duration before closing the channel (default: 30 seconds).
- Default Timezone: Sets the default timezone for events (default: GMT).
- Sub Sample Drop Ratio: Ratio for dropping events (-1 means no limit).
- Sub Sample Receive Ratio: Ratio for receiving events (-1 means no limit).
- Max Length in Bytes: Maximum log message length (default: 32766 bytes).
- Character Encoding: Defines the character encoding (default: UTF-8).
- Drop if Queue is Full: Option to discard logs under heavy load conditions.
Key Outcomes
By correctly configuring these fields, ServiceNow customers can ensure reliable log data streaming from Splunk, maintain optimal performance, and effectively manage log data integrity. This setup allows for customized data handling based on organizational needs and security protocols.
Description of the fields on the Splunk data input configuration form.
Basic configuration
| Field | Description |
|---|---|
| Data input name | Name of the new data input. This field is required. |
| Description | Description of the data input. |
| MID Server | The MID Server to which the logs stream. Note: This field is required.
|
| Port | The port for the MID Server. Make sure that your organization’s security team opens the selected port in the MID Server. This field is required. |
| Transport Protocol | The protocol used for streaming log messages to your ServiceNow instance.
For more information about streaming log data using the TCP or UCP transport protocol, see the Streaming Splunk data using Heavy Forwarder: Selecting TCP or UDP [KB0998928] article in the Now Support Knowledge Base. |
Advanced configuration
| Field | Description | Default values |
|---|---|---|
| Use SSL/TLS | Option for selecting to use SSL/TLS. | |
| Look up hostnames | Option for selecting to perform DNS lookup to resolve IPs to hostnames. | false |
| Boss thread count | The number of threads that manage connections. | 1 |
| Worker thread count | The number of threads that handle incoming data. | 4 |
| Read timeout seconds | The timeout in seconds since the last read. When the timeout expires, the system closes the channel. | 30 |
| Default timezone | The default time zone of events. The system uses this default when the log does not specify a time zone. | GMT |
| Sub sample drop ratio | The ratio of events to drop. | -1 |
| Sub sample receive ratio | The ratio of events to receive. | -1 |
| Max length in bytes | The maximum length of log messages in bytes. | 32766 |
| Character encoding | The character encoding for this data input. | UTF-8 |
| Drop if queue is full | Option for selecting to discard logs if there is a load on the MID Server. |