Splunk-box

#   Version 6.0 

#

# This file contains possible attribute/value pairs for configuring limits for search commands.

#

# There is a limits.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 

# place a limits.conf in $SPLUNK_HOME/etc/system/local/. For examples, see 

# limits.conf.example. You must restart Splunk to enable configurations.

#

# To learn more about configuration files (including precedence) please see the documentation 

# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

#

# GLOBAL SETTINGS

# Use the [default] stanza to define any global settings.

#     * You can also define global settings outside of any stanza, at the top of the file.

#     * Each conf file should have at most one default stanza. If there are multiple default

#       stanzas, attributes are combined. In the case of multiple definitions of the same

#       attribute, the last definition in the file wins.

#     * If an attribute is defined at both the global level and in a specific stanza, the

#       value in the specific stanza takes precedence.

# CAUTION: Do not alter the settings in limits.conf unless you know what you are doing. 

# Improperly configured limits may result in splunkd crashes and/or memory overuse.

* Each stanza controls different parameters of search commands.

max_mem_usage_mb = <integer>

* Specifies the recommended maximum estimate memory usage by internal data structures that can use disk as backing store if this limit would otherwise be exceeded.

* coordinates with maxresultrows such that what is in memory satisfies at least one of these 2 constraints, except if max_mem_usage_mb is set to 0.

* also acts as a cutoff for memory usage by mvexpand.

* Certainly commands may use multiple such structures in conjuction with large in memory result sets and thus the true maximum search memory usage may be 4-5 times this limit depending on the sequence of commands.

* defaults to 200 (MB)

min_batch_size_bytes = <integer>

* Specifies the size of the file/tar after which the file is handled by the batch reader instead of the trailing processor. 

* Global parameter, cannot be configured per input.

* Note configuring this to a very small value could lead to backing up of jobs at the tailing processor.

* defaults to 20 MB 

[searchresults]

* 검색 결과에 대한 제한 설정 내용.

* This stanza controls search results for a variety of Splunk search commands.

maxresultrows = <integer>

* 최대 결과 수를 설정.

* 기본이 50,000 임.

* Configures the maximum number of events are generated by search commands which 

grow the size of your result set (such as multikv) or that create events. Other search commands are explicitly 

controlled in specific stanzas below.

* This limit should not exceed 50000. Setting this limit higher than 50000 causes instability.

* Defaults to 50000. 

tocsv_maxretry = <integer>

* Maximum number of times to retry the atomic write operation.

* 1 = no retries.

* Defaults to 5.

tocsv_retryperiod_ms = <integer>

* Period of time to wait before each retry.

* Defaults to 500.

[subsearch]

* 하위 검색에 대한 제한 설정 내용.

* This stanza controls subsearch results.

* NOTE: This stanza DOES NOT control subsearch results when a subsearch is called by

  commands such as join, append, or appendcols. 

* Read more about subsearches in the online documentation: 

  http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

maxout = <integer>

* 하위 검색 결과의 최대 값 설정.

* 기본이 10,000개의 결과 임.

* Maximum number of results to return from a subsearch.

* This value cannot be greater than or equal to 10500.

* Defaults to 10000.

maxtime = <integer>

* 하위 검색에 대한 검색 시간 제한 설정.

* 기본이 60 sec.이며, 하위 검색이 60 sec. 에서 검색이 종료되고, 그에 대한 결과가 반환 됨.

* Maximum number of seconds to run a subsearch before finalizing

* Defaults to 60.

ttl = <integer>

* Time to cache a given subsearch's results, in seconds.

* Do not set this below 120 seconds. 

* See definition in [search] ttl for more details on how the ttl is computed

* Defaults to 300.

[anomalousvalue]

maxresultrows = <integer>

* Configures the maximum number of events that can be present in memory at one time. 

* Defaults to searchresults::maxresultsrows (which is by default 50000).

maxvalues = <integer>

* Maximum number of distinct values for a field.

* Defaults to 100000.

maxvaluesize = <integer>

* Maximum size in bytes of any single value (truncated to this size if larger).

* Defaults to 1000.

[associate]

maxfields = <integer>

* Maximum number of fields to analyze.

* Defaults to 10000.

maxvalues = <integer>

* Maximum number of values for any field to keep track of.

* Defaults to 10000.

maxvaluesize = <integer>

* Maximum length of a single value to consider.

* Defaults to 1000.

[autoregress]

maxp = <integer>

* Maximum valid period for auto regression 

* Defaults to 10000.

maxrange = <integer>

* Maximum magnitude of range for p values when given a range.

* Defaults to 1000.

[concurrency]

max_count = <integer>

* Maximum number of detected concurrencies.

* Defaults to 10000000

[ctable]

* This stanza controls the contingency, ctable, and counttable commands.

maxvalues = <integer>

* Maximum number of columns/rows to generate (the maximum number of distinct values for the row field and 

column field).

* Defaults to 1000.

[correlate]

maxfields = <integer>

* Maximum number of fields to correlate.

* Defaults to 1000.

[discretize]

* This stanza set attributes for bin/bucket/discretize.

default_time_bins = <integer>

* When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified.

* Defaults to 100

maxbins = <integer> 

* Maximum number of buckets to discretize into.

* If maxbins is not specified or = 0, it defaults to searchresults::maxresultrows (which is by default 50000).

[export]

add_timestamp = <bool>

* Add a epoch time timestamp to JSON streaming output that reflects the time the results were generated/retrieved 

* Defaults to false

add_offset = <bool>

* Add an offset/row number to JSON streaming output

* Defaults to true

[extern]

perf_warn_limit = <integer>

* Warn when external scripted command is applied to more than this many events

* set to 0 for no message (message is always INFO level)

* Defaults to 10000

[inputcsv]

mkdir_max_retries = <integer>

* Maximum number of retries for creating a tmp directory (with random name as subdir of SPLUNK_HOME/var/run/splunk)

* Defaults to 100.

[indexpreview]

max_preview_bytes = <integer>

* Maximum number of bytes to read from each file during preview

* Defaults to 2000000 (2 MB)

max_results_perchunk = <integer>

* Maximum number of results to emit per call to preview data generator

* Defaults to 2500

soft_preview_queue_size = <integer>

* Loosely-applied maximum on number of preview data objects held in memory

* Defaults to 100

[join]

subsearch_maxout = <integer>

* Maximum result rows in output from subsearch to join against.

* Defaults to 50000

subsearch_maxtime = <integer>

* Maximum search time (in seconds) before auto-finalization of subsearch.

* Defaults to 60 

subsearch_timeout = <integer>

* Maximum time to wait for subsearch to fully finish (in seconds).

* Defaults to 120

[kmeans]

maxdatapoints = <integer>

* Maximum data points to do kmeans clusterings for.

* Defaults to 100000000

maxkvalue = <integer>

* Maximum number of clusters to attempt to solve for.

* Defaults to 1000

maxkrange = <integer>

* Maximum number of k values to iterate over when specifying a range.

* Defaults to 100

[kv]

maxcols = <integer>

* When non-zero, the point at which kv should stop creating new fields.

* Defaults to 512.

limit = <integer>

* Maximum number of keys auto kv can generate.

* Defaults to 50.

maxchars = <integer>

* Truncate _raw to this size and then do auto KV.

* Defaults to 10240 characters.

max_extractor_time = <integer>

* Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to 

* take before warning. If the extractor exceeds this execution time on any event a warning will be issued

* Defaults to 1000

avg_extractor_time = <integer>

* Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of 

* a key-value pair extractor will be allowed to take before warning. Once the average becomes larger 

* than this amount of time a warning will be issued

* Defaults to 500

[lookup]

max_memtable_bytes = <integer> 

* Maximum size of static lookup file to use an in-memory index for.

* Defaults to 10000000 in bytes (10MB

max_matches = <integer>

* maximum matches for a lookup

* range 1 - 1000 

* Defaults to 1000

max_reverse_matches = <integer> 

* maximum reverse lookup matches (for search expansion)

* Defaults to 50

batch_index_query = <bool>

* Should non-memory file lookups (files that are too large) use batched queries to possibly improve performance?

* Defaults to true

batch_response_limit = <integer>

* When doing batch requests, the maximum number of matches to retrieve                                    

* if more than this limit of matches would otherwise be retrieve, we will fall back to non-batch mode matching

* Defaults to 5000000

[metrics]

maxseries = <integer>

* The number of series to include in the per_x_thruput reports in metrics.log.

* Defaults to 10.

interval = <integer>

* Number of seconds between logging splunkd metrics to metrics.log.

* Minimum of 10.

* Defaults to 30.

[rare]

maxresultrows = <integer>

* Maximum number of result rows to create.

* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

maxvalues = <integer>

* Maximum number of distinct field vector values to keep track of.

* Defaults 100000.

maxvaluesize = <integer>

* Maximum length of a single value to consider.

* Defaults to 1000.

[restapi]

maxresultrows = <integer>

* Maximum result rows to be returned by /events or /results getters from REST API.

* Defaults to 50000.

time_format_reject = <regular expression>

* HTTP parameters for time_format and output_time_format which match

  this regex will be rejected (blacklisted).

* The regex will be satisfied by a substring match anywhere in the paramater.

* Intended as defense-in-depth against XSS style attacks against browser users

  by crafting specially encoded URLS for them to access splunkd. 

* If unset, all parameter strings will be accepted.

* To disable this check entirely, set the value to empty.

  # Example of disabling: time_format_reject =

* Defaults to [<>!] , which means that the less-than '<', greater-than '>', and

  exclaimation point '!' are not allowed.

jobscontentmaxcount = <integer>

* Maximum length of a property in the contents dictionary of an entry from /jobs getter from REST API

* Value of 0 disables truncation

* Defaults to 0

[search]

* 검색에 대한 제한 설정.

summary_mode = [all|only|none]

* Controls if precomputed summary are to be used if possible?

* all: use summary if possible, otherwise use raw data

* only: use summary if possible, otherwise do not use any data

* none: never use precomputed summary data

* Defaults to 'all'

use_bloomfilter = <bool>

* Control whether to use bloom filters to rule out buckets

max_id_length = <integer>

* Maximum length of custom search job id when spawned via REST api arg id=

ttl = <integer>

* How long search artifacts should be stored on disk once completed, in seconds. The ttl is computed

* relative to the modtime of status.csv of the job if such file exists or the modtime of the search

* job's artifact directory. If a job is being actively viewed in the Splunk UI then the modtime of 

* status.csv is constantly updated such that the reaper does not remove the job from underneath.

* Defaults to 600, which is equivalent to 10 minutes.

default_save_ttl = <integer>

* How long the ttl for a search artifact should be extended in response to the save control action, in second.  0 = indefinitely.

* Defaults to 604800 (1 week)

remote_ttl = <integer>

* How long artifacts from searches run in behalf of a search head should be stored on the indexer 

  after completion, in seconds.

* Defaults to 600 (10 minutes)

status_buckets = <integer>

* The approximate maximum number buckets to generate and maintain in the timeline.

* Defaults to 0, which means do not generate timeline information.

max_bucket_bytes = <integer>

* This setting has been deprecated and has no effect

max_count = <integer>

* The number of events that can be accessible in any given status bucket.

* The last accessible event in a call that takes a base and bounds.

* Defaults to 10000.

max_events_per_bucket = <integer>

* For searches with status_buckets>0 this will limit the number of events retrieved per timeline bucket.

* Defaults to 1000 in code.  

truncate_report = [1|0]

* Specifies whether or not to apply the max_count limit to report output.

* Defaults to false (0).

min_prefix_len = <integer>

* The minimum length of a prefix before a * to ask the index about.

* Defaults to 1.

cache_ttl = <integer>

* The length of time to persist search cache entries (in seconds).

* Defaults to 300.

max_results_perchunk = <integer>

* Maximum results per call to search (in dispatch), must be less than or equal to maxresultrows.

* Defaults to 2500                                                                                      

min_results_perchunk = <integer>

* Minimum results per call to search (in dispatch), must be less than or equal to max_results_perchunk.

* Defaults to 100                                                                       

max_rawsize_perchunk = <integer>

* Maximum raw size of results per call to search (in dispatch).

* 0 = no limit.                   

* Defaults to 100000000 (100MB)

* Not affected by chunk_multiplier

target_time_perchunk = <integer>

* Target duration of a particular call to fetch search results in ms.

* Defaults to 2000

long_search_threshold = <integer>

* Time in seconds until a search is considered "long running".

* Defaults to 2

chunk_multiplier = <integer>

* max_results_perchunk, min_results_perchunk, and target_time_perchunk are multiplied by this 

for a long running search.

* Defaults to 5

min_freq = <number>

* Minimum frequency of a field required for including in the /summary endpoint as a fraction (>=0 and <=1).

* Defaults is 0.01 (1%)

reduce_freq = <integer>

* Attempt to reduce intermediate results every how many chunks (0 = never).

* Defaults to 10

reduce_duty_cycle = <number>

* the maximum time to spend doing reduce, as a fraction of total search time

* Must be > 0.0 and < 1.0

* Defaults to 0.25

preview_duty_cycle = <number>

* the maximum time to spend generating previews, as a fraction of total search time

* Must be > 0.0 and < 1.0

* Defaults to 0.25

dispatch_quota_retry = <integer>

* The maximum number of times to retry to dispatch a search when the quota has been reached.

* Defaults to 4

dispatch_quota_sleep_ms = <integer>

* Milliseconds between retrying to dispatch a search if a quota has been reached.

* Retries the given number of times, with each successive wait 2x longer than the previous.

* Defaults to 100

base_max_searches = <int>

* 기본 최대 검색 수 설정.

* A constant to add to the maximum number of searches, computed as a multiplier of the CPUs.

* Defaults to 6

max_searches_per_cpu = <int>

* CPU당 최대 검색 수 설정.

* The maximum number of concurrent historical searches per CPU. The system-wide limit of 

historical searches is computed as: 

  max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches

* Note: the maximum number of real-time searches is computed as: 

  max_rt_searches = max_rt_search_multiplier x max_hist_searches

* Defaults to 1

max_rt_search_multiplier = <decimal number>

* A number by which the maximum number of historical searches is multiplied to determine the maximum

* number of concurrent real-time searches 

* Note: the maximum number of real-time searches is computed as: 

  max_rt_searches = max_rt_search_multiplier x max_hist_searches

* Defaults to 1

max_macro_depth = <int> 

* Max recursion depth for macros.

* Considered a search exception if macro expansion doesn't stop after this many levels.

* Must be greater than or equal to 1.

* Default is 100

realtime_buffer = <int>

* Maximum number of accessible events to keep for real-time searches from Splunk Web.

* Acts as circular buffer once this limit is reached

* Must be greater than or equal to 1

* Default is 10000

stack_size = <int>

* The stack size (in bytes) of the thread executing the search.

* Defaults to 4194304  (4 MB)

status_cache_size = <int>

* The number of search job status data splunkd can cache in RAM. This cache improves performance of 

  the jobs endpoint

* Defaults to 2000

timeline_freq = <timespan> or <ratio> 

* Minimum amount of time between timeline commits.

* If specified as a number < 1 (and > 0), minimum time between commits is computed as a ratio of 

  the amount of time that the search has been running.

* defaults to 0 seconds

preview_freq = <timespan> or <ratio>

* Minimum amount of time between results preview updates.

* If specified as a number < 1 (and > 0), minimum time between previews is computed as a ratio of 

the amount of time that the search has been running, or as a ratio of the length of the time window 

for real-time windowed searches.

* Defaults to ratio of 0.05

max_combiner_memevents = <int>

* Maximum size of in-memory buffer for search results combiner, in terms of number of events.

* Defaults to 50000 events. 

replication_period_sec  = <int>

* The minimum amount of time in seconds between two successive bundle replications.

* Defaults to 60

replication_file_ttl = <int>

* The TTL (in seconds) of bundle replication tarballs, i.e. *.bundle files.

* Defaults to 600 (10m)

sync_bundle_replication = [0|1|auto]

* Flag indicating whether configuration file replication blocks searches or is run asynchronously 

* When setting this flag to auto Splunk will choose to use asynchronous replication iff all the peers 

* support async bundle replication, otherwise it will fallback into sync replication. 

* Defaults to auto 

multi_threaded_setup = [0|1]

* 멀티 스레드 설정.

* 분산 검색에 대해서 적용 가능.

* Flag indicating whether to use multiple threads when setting up distributed search to multiple peers.

* Defaults to false (0)

rr_min_sleep_ms = <int>

* Minimum time to sleep when reading results in round-robin mode when no data is available.

* Defaults to 10.

rr_max_sleep_ms = <int>

* Maximum time to sleep when reading results in round-robin mode when no data is available.

* Defaults to 1000

rr_sleep_factor = <int>

* If no data is available even after sleeping, increase the next sleep interval by this factor.

* defaults to 2

fieldstats_update_freq = <number>

* How often to update the field summary statistics, as a ratio to the elapsed run time so far.

* Smaller values means update more frequently.  0 means as frequently as possible.

* Defaults to 0

fieldstats_update_maxperiod = <int>

* Maximum period for updating field summary statistics in seconds

* 0 means no maximum, completely dictated by current_run_time * fieldstats_update_freq

* defaults to 60

remote_timeline = [0|1]

* If true, allows the timeline to be computed remotely to enable better map/reduce scalability.

* defaults to true (1). 

remote_timeline_prefetch = <int>

* Each peer should proactively send at most this many full events at the beginning

* Defaults to 100.

remote_timeline_parallel_fetch = <bool>

* Connect to multiple peers at the same time when fetching remote events?

* Defaults to true

remote_timeline_min_peers = <int>

* Minimum search peers for enabling remote computation of timelines.

* Defaults to 1 (1).

remote_timeline_fetchall = [0|1]

* If true, fetches all events accessible through the timeline from the remote peers before the job is 

  considered done.

* Defaults to true (1).

remote_timeline_thread = [0|1]

* If true, uses a separate thread to read the full events from remote peers if remote_timeline is used 

and remote_timeline_fetchall is set to true. (Has no effect if remote_timeline or remote_timeline_fetchall is 

false).

* Defaults to true (1).

remote_timeline_max_count = <int>

* Maximum number of events to be stored per timeline bucket on each search peer, 

* Defaults to 10000

remote_timeline_max_size_mb = <int>

* Maximum size of disk that remote timeline events should take on each peer

* If limit is reached, a DEBUG message is emitted (and should be visible from job inspector/messages

* Defaults to 100

remote_timeline_touchperiod = <int>

* How often to touch remote timeline artifacts to keep them from being deleted by the remote peer, while a 

search is running.

* In seconds, 0 means never.

* Defaults to 300.

remote_timeline_connection_timeout = <int>

* Connection timeout in seconds for fetching events processed by remote peer timeliner.

* Defaults to 5.

remote_timeline_send_timeout = <int>

* Send timeout in seconds for fetching events processed by remote peer timeliner.

* Defaults to 10.

remote_timeline_receive_timeout = <int>

* Receive timeout in seconds for fetching events processed by remote peer timeliner.

* Defaults to 10. 

default_allow_queue = [0|1]

* Unless otherwise specified via REST api argument should an async job spawning request be queued on quota 

violation (if not, an http error of server too busy is returned) 

* Defaults to true (1).

queued_job_check_freq = <int>

* Frequency with which to check queued jobs to see if they can be started, in seconds

* Defaults to 1.

enable_history = <bool>

* Enable keeping track of searches?

* Defaults to true

max_history_length = <int>

* Max number of searches to store in history (per user/app)

* Defaults to 1000

allow_inexact_metasearch = <bool>

* Should a metasearch that is inexact be allow.  If so, an INFO message will be added to the inexact metasearches.  If not, a fatal exception will occur at search parsing time.

* Defaults to false

indexed_as_exact_metasearch = <bool>

* Should we allow a metasearch to treat <field>=<value> the same as <field>::<value> if <field> is an indexed field.  Allowing this will allow a larger set of metasearches when allow_inexact_metasearch is set to false.  However, some of these searches may be inconsistent with the results of doing a normal search.

* Defaults to false

dispatch_dir_warning_size = <int>

* The number of jobs in the dispatch directory when to issue a bulletin message warning that performance could be impacted

* Defaults to 2000

allow_reuse = <bool>

* Allow normally executed historical searches to be implicitly re-used for newer requests if the newer request allows it?

* Defaults to true

track_indextime_range = <bool>

* Track the _indextime range of returned search results?

* Defaults to true

reuse_map_maxsize = <int>

* Maximum number of jobs to store in the reuse map 

* Defaults to 1000

status_period_ms = <int>

* The minimum amout of time, in milliseconds, between successive status/info.csv file updates

* This ensures search does not spend significant time just updating these files.

  * This is typically important for very large number of search peers.

  * It could also be important for extremely rapid responses from search peers,

    when the search peers have very little work to do.

* Defaults to 1000 (1 second)

search_process_mode = auto | traditional | debug <debugging-command> [debugging-args ...]

* Control how search processes are started

* When set to "traditional", Splunk initializes each search process completely from scratch

* When set to a string beginning with "debug", Splunk routes searches through the given command, allowing the user the to "plug in" debugging tools

    * The <debugging-command> must reside in one of

        * $SPLUNK_HOME/etc/system/bin/

        * $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/

        * $SPLUNK_HOME/bin/scripts/

    * Splunk will pass <debugging-args>, followed by the search command it would normally run, to <debugging-command>

    * For example, given:

        search_process_mode = debug $SPLUNK_HOME/bin/scripts/search-debugger.sh 5

      Splunk will run a command that looks generally like:

        $SPLUNK_HOME/bin/scripts/search-debugger.sh 5 splunkd search --id=... --maxbuckets=... --ttl=... [...]

* Defaults to "auto"

fetch_remote_search_log = <bool>

* If true, will attempt to fetch the search.log from every search peer at the end of the search and store in the job dispatch dir on the search head.

* Defaults to true

load_remote_bundles = <bool>

* On a search peer, allow remote (search head) bundles to be loaded in splunkd.

* Defaults to false.

use_dispatchtmp_dir = <bool>

* Whether to use the dispatchtmp directory for temporary search time files (write temporary files to a different directory from a job's dispatch directory). 

* Temp files would be written to $SPLUNK_HOME/var/run/splunk/dispatchtmp/<sid>/

* In search head pooling performance can be improved by mounting disaptchtmp to the 

* local file system.

* Defaults to true if search head pooling is enabled, false otherwise

check_splunkd_period = <int>

* Amount of time, in seconds, that determines how frequently the search process 

* (when running a real-time search) checks whether it's parent process (splunkd) is running or not. 

* Defaults to 60

allow_batch_mode = <bool>

* Whether or not to allow the use of batch mode which searching in disk based batches in a time insensative manner.

* Defaults to false

batch_search_max_index_values = <int>

* When using batch mode this limits the number of event entries read from the index file. These entries are small

* approximately 72 bytes. However batch mode is more efficient when it can read more entries at once.

* Setting this value to a smaller number can lead to slower search performance. A balance needs to be struck 

* between more efficient searching in batch mode and running out of memory on the system with concurrently running searches. 

* Defaults to 10000000

* These settings control the periodicity of retries to search peers in the event of failure. (Connection 

* errors, and others.) The interval exists between failure and first retry, as well as successive 

* retries in the event of further failures.

batch_retry_min_interval = <int>

* When batch mode attempts to retry the search on a peer that failed wait at least this many seconds

* Default to 5

batch_retry_max_interval = <int>

* When batch mode attempts to retry the search on a peer that failed wait at most this many seconds

* Default to 300

batch_retry_scaling = <double>

* After a retry attempt fails increase the time to wait before trying again by this scaling factor (Value should be > 1.0)

* Default 1.5

batch_wait_after_end = <int>

* Batch mode considers the search ended(finished) when all peers without communication failure 

* have expicitly indicated that they are complete; eg have delivered the complete answer.

* After the search is at an end, batch mode will continue to retry with lost-connection peers 

* for this many seconds.

* Default 900

write_multifile_results_out = <bool>

* at the end of the search if results are in multiple files, write out the multiple

* files to results_dir directory, under the search results directory.

* This will speed up post-processing search, since the results will already be 

* split into appropriate size files.

* Default true

enable_cumulative_quota = <bool>

* whether to enforce cumulative role based quotas 

* Default false

[realtime] 

# Default options for indexer support of real-time searches

# These can all be overriden for a single search via REST API arguments

local_connect_timeout = <int>

* Connection timeout for an indexer's search process when connecting to that indexer's splunkd (in seconds)

* Defaults to 5

local_send_timeout = <int>

* Send timeout for an indexer's search process when connecting to that indexer's splunkd (in seconds)

* Defaults to 5

local_receive_timeout = <int>

* Receive timeout for an indexer's search process when connecting to that indexer's splunkd (in seconds)

* Defaults to 5

queue_size = <int>

* Size of queue for each real-time search (must be >0).

* Defaults to 10000

blocking = [0|1] 

* Specifies whether the indexer should block if a queue is full.

* Defaults to false

max_blocking_secs = <int>

* Maximum time to block if the queue is full (meaningless if blocking = false)

* 0 means no limit

* Default to 60 

indexfilter = [0|1]

* Specifies whether the indexer should prefilter events for efficiency.

* Defaults to true (1).

default_backfill = <bool>

* Specifies if windowed real-time searches should backfill events

* Defaults to true

enforce_time_order = <bool>

* Specifies if real-time searches should ensure that events are sorted in ascending time order (the UI will automatically reverse the order that it display events for real-time searches so in effect the latest events will be first)

* Defaults to true

disk_usage_update_period = <int>

* Specifies how frequently (in seconds) should the search process estimate the artifact disk usage.

* Defaults to 10

indexed_realtime_use_by_default = <bool>

* Should we use the indexedRealtime mode by default

* Precedence: SearchHead

* Defaults to false

indexed_realtime_disk_sync_delay = <int>

* After indexing there is a non-deterministic period where the files on disk when opened by other

* programs might not reflect the latest flush to disk, particularly when a system is under heavy load.

* This settings controls the number of seconds to wait for disk flushes to finish when using

* indexed/continuous/psuedo realtime search so that we see all of the data.

* Precedence: SearchHead overrides Indexers

* Defaults to 60 

indexed_realtime_default_span = <int>

* An indexed realtime search is made up of many component historical searches that by default will

* span this many seconds. If a component search is not completed in this many seconds the next

* historical search will span the extra seconds. To reduce the overhead of running an indexed realtime

* search you can change this span to delay longer before starting the next component historical search.

* Precendence: Indexers

* Defaults to 1

indexed_realtime_maximum_span = <int>

* While running an indexed realtime search, if the component searches regularly take longer than 

* indexed_realtime_default_span seconds, then indexed realtime search can fall more than 

* indexed_realtime_disk_sync_delay seconds behind realtime. Use this setting to set a limit 

* afterwhich we will drop data to return back to catch back up to the specified delay from 

* realtime, and only search the default span of seconds. 

* Precedence: API overrides SearchHead overrides Indexers

* Defaults to 0 (unlimited) 

indexed_realtime_cluster_update_interval = <int>

* While running an indexed realtime search, if we are on a cluster we need to update the list

* of allowed primary buckets. This controls the interval that we do this. And it must be less 

* than the indexed_realtime_disk_sync_delay. If your buckets transition from Brand New to warm 

* in less than this time indexed realtime will lose data in a clustered environment.

* Precendence: Indexers

* Default: 30

[slc]

maxclusters = <integer>

* Maximum number of clusters to create.

* Defaults to 10000.

[sort]

maxfiles = <integer>

* Maximum files to open at once.  Multiple passes are made if the number of result chunks 

exceeds this threshold.

* Defaults to 64.

[stats|sistats]

maxmem_check_freq = <integer>

* How frequently to check to see if we are exceeding the in memory data structure size limit as specified by max_mem_usage_mb, in rows

* Defaults to 50000 rows

maxresultrows = <integer>

* Maximum number of result rows to create. 

* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

maxvalues = <integer>

* Maximum number of values for any field to keep track of.

* Defaults to 0 (unlimited).

maxvaluesize = <integer>

* Maximum length of a single value to consider.

* Defaults to 0 (unlimited).

# rdigest is a data structure used to compute approximate order statistics (such as median and percentiles) 

# using sublinear space.

rdigest_k = <integer>

* rdigest compression factor

* Lower values mean more compression

* After compression, number of nodes guaranteed to be greater than or equal to 11 times k.

* Defaults to 100, must be greater than or equal to 2

rdigest_maxnodes = <integer>

* Maximum rdigest nodes before automatic compression is triggered.

* Defaults to 1, meaning automatically configure based on k value

max_stream_window = <integer>

* For streamstats command, the maximum allow window size

* Defaults to 10000.

max_valuemap_bytes = <integer>

* For sistats command, the maximum encoded length of the valuemap, per result written out

* If limit is exceeded, extra result rows are written out as needed.  (0 = no limit per row)

* Defaults to 100000.

perc_method = nearest-rank|interpolated

* Which method to use for computing percentiles (and medians=50 percentile).

* nearest-rank picks the number with 0-based rank R = floor((percentile/100)*count)

* interpolated means given F = (percentile/100)*(count-1), pick ranks R1 = floor(F) and R2 = ceiling(F).  Answer = (R2 * (F - R1)) + (R1 * (1 - (F - R1)))

* See wikipedia percentile entries on nearest rank and "alternative methods" 

* Defaults to interpolated

approx_dc_threshold = <integer>

* When using approximate distinct count (i.e. estdc(<field>) in stats/chart/timechart), do not use approximated results if the actual number of distinct values is less than this number

* Defaults to 1000

dc_digest_bits = <integer>

* 2^<integer> bytes will be size of digest used for approximating distinct count.

* Defaults to 10 (equivalent to 1KB)

* Must be >= 8 (128B) and <= 16 (64KB)

natural_sort_output = <bool>

* Do a natural sort on the output of stats if output size is <= maxresultrows

* Natural sort means that we sort numbers numerically and non-numbers lexicographically

* Defaults to true

list_maxsize = <int>

* Maximum number of list items to emit when using the list() function stats/sistats

* Defaults to 100

sparkline_maxsize = <int>

* Maximum number of elements to emit for a sparkline

* Defaults to value of list_maxsize setting

default_partitions = <int>

* Number of partitions to split incoming data into for parallel/multithreaded reduce

* Defaults to 1

partitions_limit = <int>

* Maximum number of partitions to split into that can be specified via the 'partitions' option.

* When exceeded, the number of partitions is reduced to this limit.

* Defaults to 100

[thruput]

maxKBps = <integer>

* If specified and not zero, this limits the speed through the thruput processor to the specified 

rate in kilobytes per second.

* To control the CPU load while indexing, use this to throttle the number of events this indexer 

processes to the rate (in KBps) you specify. 

[journal_compression]

threads = <integer>

* Specifies the maximum number of indexer threads which will be work on compressing hot bucket journal data.

* Defaults to the number of CPU threads of the host machine

* This setting does not typically need to be modified.

[top]

maxresultrows = <integer>

* Maximum number of result rows to create.

* If not specified, defaults to searchresults::maxresultrows (usually 50000).

maxvalues = <integer>

* Maximum number of distinct field vector values to keep track of.

* Defaults to 100000.

maxvaluesize = <integer>

* Maximum length of a single value to consider.

* Defaults to 1000.

[summarize]

hot_bucket_min_new_events = <integer>

* The minimum number of new events that need to be added to the hot bucket (since last summarization)

* before a new summarization can take place. To disable hot bucket summarization set this value to a 

* large positive number.

* Defaults to 100000

sleep_seconds = <integer>

* The amount of time to sleep between polling of summarization complete status.

* Default to 5

stale_lock_seconds = <integer>

* The amount of time to have elapse since the mod time of a .lock file before summarization considers 

* that lock file stale and removes it

* Default to 600

max_summary_ratio = <float>

* A number in the [0-1) range that indicates the maximum ratio of summary data / bucket size at which 

* point the summarization of that bucket, for the particual search, will be disabled. Use 0 to disable.

* Defaults to 0

max_summary_size = <int>

* Size of summary, in bytes, at which point we'll start applying the max_summary_ratio. Use 0 to disable.

* Defaults to 0

max_time = <int>

* The maximum amount of time, seconds, that a summary search process is allowed to run. Use 0 to disable.

* Defaults to 0

indextime_lag = <unsigned int>

* The amount of lag time to give indexing to ensure that it has synced any received events to disk. Effectively,

* the data that has been received in the past indextime_lag will NOT be summarized.

* Do not change this value unless directed by Splunk support.

* Defaults to 90

[transactions]

maxopentxn = <integer>

* Specifies the maximum number of not yet closed transactions to keep in the open pool before starting to evict transactions.

* Defaults to 5000.

maxopenevents = <integer>

* Specifies the maximum number of events (which are) part of open transactions before transaction eviction starts happening, using LRU policy.

* Defaults to 100000.

[inputproc]

max_fd = <integer>

* Maximum number of file descriptors that Splunk will keep open, to capture any trailing data from 

files that are written to very slowly.

* Defaults to 100.

time_before_close = <integer>

* MOVED.  This setting is now configured per-input in inputs.conf.

* Specifying this setting in limits.conf is DEPRECATED, but for now will override the setting for all 

monitor inputs.

tailing_proc_speed = <integer>

* REMOVED.  This setting is no longer used.

[scheduler]

max_searches_perc = <integer>

* The maximum number of searches the scheduler can run, as a percentage of the maximum number of concurrent 

searches, see [search] max_searches_per_cpu for how to set the system wide maximum number of searches.

* Defaults to 50.

auto_summary_perc = <integer>

* The maximum number of concurrent searches to be allocated for auto summarization, as a percentage of the

concurrent searches that the scheduler can run. Note: that user scheduled searches take precedence over auto 

summary searches.

* Defaults to 50.

max_action_results = <integer>

* The maximum number of results to load when triggering an alert action.

* Defaults to 10000

action_execution_threads = <integer>

* Number of threads to use to execute alert actions, change this number if your alert actions take a long 

time to execute. 

* This number is capped at 10.

* Defaults to 2

actions_queue_size = <integer>

* The number of alert notifications to queue before the scheduler starts blocking, set to 0 for infinite size.

* Defaults to 100

actions_queue_timeout = <integer>

* The maximum amount of time, in seconds to block when the action queue size is full.

* Defaults to 30

alerts_max_count = <integer>

* Maximum number of unexpired alerts information to keep for the alerts manager, when this number is reached 

Splunk will start discarding the oldest alerts.

* Defaults to 50000

alerts_expire_period = <integer>

* The amount of time between expired alert removal

* This period controls how frequently the alerts list is scanned, the only benefit from reducing this is 

better resolution in the number of alerts fired at the savedsearch level.

* Change not recommended.

* Defaults to 120.

persistance_period = <integer>

* The period (in seconds) between scheduler state persistance to disk. The scheduler currently persists 

the suppression and fired-unexpired alerts to disk. 

* This is relevant only in search head pooling mode.

* Defaults to 30.

max_lock_files = <int>

* The number of most recent lock files to keep around. 

* This setting only applies in search head pooling.

max_lock_file_ttl = <int>

* Time (in seconds) that must pass before reaping a stale lock file .

* Only applies in search head pooling.

max_per_result_alerts = <int>

* Maximum number of alerts to trigger for each saved search instance (or real-time results preview for RT alerts)

* Only applies in non-digest mode alerting. Use 0 to disable this limit

* Defaults to 500

max_per_result_alerts_time = <int>

* Maximum number of time to spend triggering alerts for each saved search instance (or real-time results preview for RT alerts)

* Only applies in non-digest mode alerting. Use 0 to disable this limit.

* Defaults to 300

scheduled_view_timeout = <int>[s|m|h|d]

* The maximum amount of time that a scheduled view (pdf delivery) would be allowed to render

* Defaults to 60m

[auto_summarizer]

cache_timeout = <integer>

* The amount of time, in seconds, to cache auto summary details and search hash codes

* Defaults to 600 - 10 minutes 

maintenance_period = <integer>

* The period of time, in seconds, that the auto summarization maintenance happens

* Defaults to 14400 (4 hours)

allow_event_summarization = <bool>

* Whether auto summarization of searches whose remote part returns events rather than results will be allowed.

* Defaults to false

max_verify_buckets = <int>

* When verifying buckets, stop after verifying this many buckets if no failures have been found

* 0 means never

* Defaults to 100

max_verify_ratio = <number>

* Maximum fraction of data in each bucket to verify

* Defaults to 0.1 (10%)

max_verify_bucket_time = <int>

* Maximum time to spend verifying each bucket, in seconds

* Defaults to 15 (seconds)

verify_delete = <bool>

* Should summaries that fail verification be automatically deleted?

* Defaults to false

max_verify_total_time = <int>

* Maximum total time in seconds to spend doing verification, regardless if any buckets have failed or not

* Defaults to 0 (no limit)

max_run_stats = <int>

* Maximum number of summarization run statistics to keep track and expose via REST.

* Defaults to 48

return_actions_with_normalized_ids = [yes|no|fromcontext]

* Report acceleration summaries are stored under a signature/hash which can be regular or normalized.

* Normalization improves the re-use of pre-built summaries but is not supported before 5.0. This config

* will determine the default value of how normalization works (regular/normalized)

* Default value is "fromcontext", which would mean the end points and summaries would be operating based on context.

* normalization strategy can also be changed via admin/summarization REST calls with the "use_normalization"

* parameter which can take the values "yes"/"no"/"fromcontext"

normalized_summaries = <bool>

* Turn on/off normalization of report acceleration summaries.

* Default = false and will become true in 6.0

detailed_dashboard = <bool>

* Turn on/off the display of both normalized and regular summaries in the Report 

* acceleration summary dashboard and details.

* Default = false

[show_source]

max_count = <integer>

* Maximum number of events accessible by show_source. 

* The show source command will fail when more than this many events are in the same second as the requested event.

* Defaults to 10000

max_timebefore = <timespan>

* Maximum time before requested event to show.

* Defaults to '1day' (86400 seconds)

max_timeafter = <timespan>

* Maximum time after requested event to show.

* Defaults to '1day' (86400 seconds)

distributed = <bool>

* Controls whether we will do a distributed search for show source to get events from all servers and indexes

* Turning this off results in better performance for show source, but events will only come from the initial server and index

* NOTE: event signing and verification is not supported in distributed mode

* Defaults to true

distributed_search_limit = <unsigned int>

* Sets a limit on the maximum events we will request when doing the search for distributed show source

* As this is used for a larger search than the initial non-distributed show source, it is larger than max_count

* Splunk will rarely return anywhere near this amount of results, as we will prune the excess results

* The point is to ensure the distributed search captures the target event in an environment with many events

* Defaults to 30000

[typeahead]

maxcount = <integer>

* Maximum number of typeahead results to find.

* Defaults to 1000

use_cache = [0|1]

* Specifies whether the typeahead cache will be used if use_cache is not specified in the command line or endpoint.

* Defaults to true.

fetch_multiplier = <integer>

* A multiplying factor that determines the number of terms to fetch from the index, fetch = fetch_multiplier x count.

* Defaults to 50

cache_ttl_sec = <integer>

* How long the typeahead cached results are valid, in seconds.

* Defaults to 300. 

min_prefix_length = <integer>

* The minimum string prefix after which to provide typeahead.

* Defaults to 1.

max_concurrent_per_user = <integer>

* The maximum number of concurrent typeahead searches per user. Once this maximum is reached only cached 

* typeahead results might be available

* Defaults to 3.

[typer]

maxlen = <int>

* In eventtyping, pay attention to first <int> characters of any attribute (such as _raw), including individual 

tokens. Can be overridden by supplying the typer operator with the argument maxlen (for example, "|typer maxlen=300").

* Defaults to 10000.

[authtokens]

expiration_time = <integer>

* Expiration time of auth tokens in seconds.

* Defaults to 3600

[sample]

maxsamples = <integer>

* Defaults to 10000

maxtotalsamples = <integer>

* Defaults to 100000

[metadata]

maxresultrows = <integer>

 * the maximum number of results in a single chunk fetched by the metadata command

 * a smaller value will require less memory on the search head in setups with

   large number of peers and many metadata results, though, setting this too

   small will decrease the search performance

 * default is 10000

 * do not change unless instructed to do so by Splunk Support

maxcount = <integer>

 * the total number of metadata search results returned by the search head;

   after the maxcount is reached, any addtional metadata results received from

   the search peers will be ignored (not returned)

 * a larger number incurs additional memory usage on the search head

 * default is 100000

[set]

maxresultrows = <integer>

 * the maximum number of results the set command will use from each resultset to compute the required set operation

[input_channels]

max_inactive = <integer>

* internal setting, do not change unless instructed to do so by Splunk Support

lowater_inactive = <integer>

* internal setting, do not change unless instructed to do so by Splunk Support

inactive_eligibility_age_seconds = <integer>

* internal setting, do not change unless instructed to do so by Splunk Support

[ldap]

max_users_to_precache = <unsigned integer>

* The maximum number of users we will attempt to precache from LDAP after reloading auth

* Set this to 0 to turn off precaching

allow_multiple_matching_users = <bool>

* This controls whether we allow login when we find multiple entries with the same value for the username attribute

* When multiple entries are found, we choose the first user DN lexicographically

* Setting this to false is more secure as it does not allow any ambiguous login, but users with duplicate entries will not be able to login.

* Defaults to true

[spath]

extraction_cutoff = <integer>

* For extract-all spath extraction mode, only apply extraction to the first <integer> number of bytes

* Defaults to 5000

extract_all = <boolean>

* Controls whether we respect automatic field extraction when spath is invoked manually.

* If true, we extract all fields regardless of settings.  If false, we only extract fields used by later splunk commands.

[reversedns]

rdnsMaxDutyCycle = <integer>

* generate diagnostic WARN in splunkd.log if reverse dns lookups are taking 

* more than this percent of time

* range 0-100

* default 10

[viewstates]

enable_reaper = <boolean>

* Controls whether the viewstate reaper runs

* Defaults to true

reaper_freq = <integer>

* Controls how often the viewstate reaper runs

* Defaults to 86400 (1 day)

reaper_soft_warn_level = <integer>

* Controls what the reaper considers an acceptable number of viewstates

* Defaults to 1000

ttl = <integer>

* Controls the age at which a viewstate is considered eligible for reaping

* Defaults to 86400 (1 day)

[geostats]

maxzoomlevel = <integer>

* contols the number of zoom levels that geostats will cluster events on

zl_0_gridcell_latspan = <float>

* contols what is the grid spacing in terms of latitude degrees at the lowest zoom level, which is zoom-level 0

* grid-spacing at other zoom levels are auto created from this value by reducing by a factor of 2 at each zoom-level.

zl_0_gridcell_longspan = <float>

* contols what is the grid spacing in terms of longitude degrees at the lowest zoom level, which is zoom-level 0

* grid-spacing at other zoom levels are auto created from this value by reducing by a factor of 2 at each zoom-level.

filterstrategy = <integer>

* controls the selection strategy on the geoviz map. Allowed values are 1 and 2

[tscollect]

squashcase = <boolean>

* The default value of the 'squashcase' argument if not specified by the command

* Defaults to false

keepresults = <boolean>

* The default value of the 'keepresults' argument if not specified by the command

* Defaults to false

optimize_max_size_mb = <unsigned int>

* The maximum size in megabytes of files to create with optimize

* Specify 0 for no limit (may create very large tsidx files)

* Defaults to 1024

[tstats]

apply_search_filter = <boolean>

* Controls whether we apply role-based search filters when users run tstats on normal index data

* Note: we never apply search filters to data collected with tscollect or datamodel acceleration

* Defaults to true

summariesonly = <boolean>

* The default value of 'summariesonly' arg if not specified by the command

* When running tstats on an accelerated datamodel, summariesonly=false implies a mixed mode where we will fall back to search for missing TSIDX data

*      summariesonly=true overrides this mixed mode to only generate results from TSIDX data, which may be incomplete

* Defaults to false

[pdf]

max_rows_per_table = <unsigned int>

* The maximum number of rows that will be rendered for a table within integrated PDF rendering

* Defaults to 1000

render_endpoint_timeout = <unsigned int>

* The number of seconds after which the pdfgen render endpoint will timeout if it has not yet finished rendering the PDF output 

* Defaults to 3600

#   Version 6.0

#

# This file contains attributes and values that you can use to configure data transformations.

# and event signing in transforms.conf.

#

# Transforms.conf is commonly used for:

# * Configuring regex-based host and source type overrides. 

# * Anonymizing certain types of sensitive incoming data, such as credit card or social 

#   security numbers. 

# * Routing specific events to a particular index, when you have multiple indexes. 

# * Creating new index-time field extractions. NOTE: We do not recommend adding to the set of 

#   fields that are extracted at index time unless it is absolutely necessary because there

#   are negative performance implications.

# * Creating advanced search-time field extractions that involve one or more of the following:

# * Reuse of the same field-extracting regular expression across multiple sources, 

#  source types, or hosts.

# * Application of more than one regex to the same source, source type, or host.

#       * Using a regex to extract one or more values from the values of another field.

# * Delimiter-based field extractions (they involve field-value pairs that are 

#  separated by commas, colons, semicolons, bars, or something similar).

# * Extraction of multiple values for the same field (multivalued field extraction).

# * Extraction of fields with names that begin with numbers or underscores.

# * NOTE: Less complex search-time field extractions can be set up entirely in props.conf.

# * Setting up lookup tables that look up fields from external sources.

#

# All of the above actions require corresponding settings in props.conf.

#

# You can find more information on these topics by searching the Splunk documentation 

# (http://docs.splunk.com/Documentation)

#

# There is a transforms.conf file in $SPLUNK_HOME/etc/system/default/. To set custom 

# configurations, place a transforms.conf $SPLUNK_HOME/etc/system/local/. For examples, see the 

# transforms.conf.example file.

#

# You can enable configurations changes made to transforms.conf by typing the following search 

# string in Splunk Web:

#

# | extract reload=t 

#

# To learn more about configuration files (including precedence) please see the documentation 

# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

# GLOBAL SETTINGS

# Use the [default] stanza to define any global settings.

#     * You can also define global settings outside of any stanza, at the top of the file.

#     * Each conf file should have at most one default stanza. If there are multiple default

#       stanzas, attributes are combined. In the case of multiple definitions of the same

#       attribute, the last definition in the file wins.

#     * If an attribute is defined at both the global level and in a specific stanza, the

#       value in the specific stanza takes precedence.

[<unique_transform_stanza_name>]

* Name your stanza. Use this name when you configure field extractions, lookup tables, and event 

  routing in props.conf. For example, if you are setting up an advanced search-time field 

  extraction, in props.conf you would add REPORT-<class> = <unique_transform_stanza_name> under 

  the [<spec>] stanza that corresponds with a stanza you've created in transforms.conf.

* Follow this stanza name with any number of the following attribute/value pairs, as appropriate

  for what you intend to do with the transform.  

* If you do not specify an entry for each attribute, Splunk uses the default value.

REGEX = <regular expression>

* 데이터 변경에 대한 정규 표현식 설정.

* Enter a regular expression to operate on your data. 

* NOTE: This attribute is valid for both index-time and search-time field extraction.

* REGEX is required for all search-time transforms unless you are setting up a 

 delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute 

 description, below).

* REGEX is required for all index-time transforms.

* REGEX and the FORMAT attribute:

* Name-capturing groups in the REGEX are extracted directly to fields. This means that you

 do not need to specify the FORMAT attribute for simple field extraction cases (see the 

 description of FORMAT, below).

* If the REGEX extracts both the field name and its corresponding field value, you can use 

 the following special capturing groups if you want to skip specifying the mapping in 

 FORMAT: 

 _KEY_<string>, _VAL_<string>. 

* For example, the following are equivalent:

* Using FORMAT:

* REGEX  = ([a-z]+)=([a-z]+)

* FORMAT = $1::$2

* Without using FORMAT

* REGEX  = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

* When using either of the above formats, in a search-time extraction, the

 regex will continue to match against the source text, extracting as many

 fields as can be identified in the source text.

* Defaults to an empty string.

FORMAT = <string>

* 변경할 데이터의 최종 형태를 설정.

* REGEX 옵션과 함께 사용 됨.

* NOTE: This option is valid for both index-time and search-time field extraction. However, FORMAT 

  behaves differently depending on whether the extraction is performed at index time or 

  search time.

* This attribute specifies the format of the event, including any field names or values you want 

  to add.

* FORMAT for index-time extractions:

* Use $n (for example $1, $2, etc) to specify the output of each REGEX match. 

* If REGEX does not have n groups, the matching fails. 

* The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

* At index time only, you can use FORMAT to create concatenated fields:

* FORMAT = ipaddress::$1.$2.$3.$4

* When you create concatenated fields with FORMAT, "$" is the only special character. It is 

 treated as a prefix for regex-capturing groups only if it is followed by a number and only 

 if the number applies to an existing capturing group. So if REGEX has only one capturing 

 group and its value is "bar", then:

* "FORMAT = foo$1" yields "foobar"

* "FORMAT = foo$bar" yields "foo$bar"

* "FORMAT = foo$1234" yields "foo$1234"

* "FORMAT = foo$1\$2" yields "foobar\$2"

* At index-time, FORMAT defaults to <stanza-name>::$1

* FORMAT for search-time extractions:

* The format of this field as used during search time extractions is as follows:

* FORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* 

* where:

* field-name  = [<string>|$<extracting-group-number>]

* field-value = [<string>|$<extracting-group-number>]

* Search-time extraction examples:

* 1. FORMAT = first::$1 second::$2 third::other-value

* 2. FORMAT = $1::$2

* If the key-name of a FORMAT setting is varying, for example $1 in the

 example 2 just above, then the regex will continue to match against

 the source key to extract as many matches as are present in the text.

* NOTE: You cannot create concatenated fields with FORMAT at search time. That 

 functionality is only available at index time.

* At search-time, FORMAT defaults to an empty string.

LOOKAHEAD = <integer>

* NOTE: This option is only valid for index-time field extractions.

* Optional. Specifies how many characters to search into an event.

* Defaults to 4096. You may want to increase this value if you have event line lengths that 

  exceed 4096 characters (before linebreaking).

WRITE_META = [true|false]

* NOTE: This attribute is only valid for index-time field extractions.

* Automatically writes REGEX to metadata.

* Required for all index-time field extractions except for those where DEST_KEY = _meta (see 

  the description of the DEST_KEY attribute, below)

* Use instead of DEST_KEY = _meta.

* Defaults to false.

DEST_KEY = <KEY>

* 변경된 데이터가 저장될 키 설정.

* FORMAT 옵션으로 변경된 데이터가 저장되는 필드를 의미 함.

* NOTE: This attribute is only valid for index-time field extractions.

* Specifies where Splunk stores the expanded FORMAT results in accordance with the REGEX match.

* Required for index-time field extractions where WRITE_META = false or is not set.

* For index-time extractions, DEST_KEY can be set to a number of values

  mentioned in the KEYS section at the bottom of this file.

        * If DEST_KEY = _meta (not recommended) you should also add $0 to the

          start of your FORMAT attribute.  $0 represents the DEST_KEY value

          before Splunk performs the REGEX (in other words, _meta).

                * The $0 value is in no way derived *from* the REGEX match. (It

                  does not represent a captured group.)

     * KEY names are case-sensitive, and should be used exactly as they appear in the KEYs list at

       the bottom of this file. (For example, you would say DEST_KEY = MetaData:Host, *not* 

       DEST_KEY = metadata:host .)

DEFAULT_VALUE = <string>

* NOTE: This attribute is only valid for index-time field extractions.

* Optional. Splunk writes the DEFAULT_VALUE to DEST_KEY if the REGEX fails.

* Defaults to empty.

SOURCE_KEY = <string>

* NOTE: This attribute is valid for both index-time and search-time field extractions.

* Optional. Defines the KEY that Splunk applies the REGEX to. 

* For search time extractions, you can use this attribute to extract one or more values from 

  the values of another field. You can use any field that is available at the time of the 

  execution of this field extraction.

* For index-time extractions use the KEYs described at the bottom of this file. 

     * KEYs are case-sensitive, and should be used exactly as they appear in the KEYs list at

       the bottom of this file. (For example, you would say SOURCE_KEY = MetaData:Host, *not* 

       SOURCE_KEY = metadata:host .)

* If <string> starts with "field:" or "fields:" the meaning is changed.  Instead of 

  looking up a KEY, it instead looks up an already indexed field.  For example, if

  a CSV field name "price" was indexed then "SOURCEKEY=field:price" will cause REGEX

  to match against the contents of that field.  It's also possible to list multiple

  fields here with "SOURCEKEY=fields:name1,name2,name3" which will cause MATCH to be

  run against a string comprising of all three values, separated by space characters.

* SOURCE_KEY is typically used in conjunction with REPEAT_MATCH in index-time field 

  transforms.

* Defaults to _raw, which means it is applied to the raw, unprocessed text of all events.

REPEAT_MATCH = [true|false]

* NOTE: This attribute is only valid for index-time field extractions.

* Optional. When set to true Splunk runs the REGEX multiple times on the SOURCE_KEY. 

* REPEAT_MATCH starts wherever the last match stopped, and continues until no more matches are 

  found. Useful for situations where an unknown number of REGEX matches are expected per

  event.

* Defaults to false.

DELIMS = <quoted string list>

* NOTE: This attribute is only valid for search-time field extractions.

* IMPORTANT: If a value may contain an embedded unescaped double quote character, 

  such as "foo"bar", use REGEX, not DELIMS. An escaped double quote (\") is ok.

* Optional. Used in place of REGEX when dealing with delimiter-based field extractions, 

  where field values (or field/value pairs) are separated by delimiters such as colons, 

  spaces, line breaks, and so on.

* Sets delimiter characters, first to separate data into field/value pairs, and then to 

  separate field from value.

* Each individual character in the delimiter string is used as a delimiter to split the event.

* Delimiters must be quoted with " " (use \ to escape).

* When the event contains full delimiter-separated field/value pairs, you enter two sets of 

  quoted characters for DELIMS: 

* The first set of quoted delimiters extracts the field/value pairs.

* The second set of quoted delimiters separates the field name from its corresponding

 value.

* When the event only contains delimiter-separated values (no field names) you use just one set

  of quoted delimiters to separate the field values. Then you use the FIELDS attribute to

  apply field names to the extracted values (see FIELDS, below).

  * Alternately, Splunk reads even tokens as field names and odd tokens as field values.

* Splunk consumes consecutive delimiter characters unless you specify a list of field names.

* The following example of DELIMS usage applies to an event where field/value pairs are 

  separated by '|' symbols and the field names are separated from their corresponding values 

  by '=' symbols:

  [pipe_eq]

  DELIMS = "|", "="

* Defaults to "".  

FIELDS = <quoted string list>

* NOTE: This attribute is only valid for search-time field extractions.

* Used in conjunction with DELIMS when you are performing delimiter-based field extraction 

  and only have field values to extract. 

* FIELDS enables you to provide field names for the extracted field values, in list format 

  according to the order in which the values are extracted.

* NOTE: If field names contain spaces or commas they must be quoted with " " (to escape, 

  use \).

* The following example is a delimiter-based field extraction where three field values appear

  in an event. They are separated by a comma and then a space.

  [commalist]

  DELIMS = ", "

  FIELDS = field1, field2, field3

* Defaults to "".

MV_ADD = [true|false]

* NOTE: This attribute is only valid for search-time field extractions.

* Optional. Controls what the extractor does when it finds a field which already exists.

* If set to true, the extractor makes the field a multivalued field and appends the 

* newly found value, otherwise the newly found value is discarded.

* Defaults to false

CLEAN_KEYS = [true|false]

* NOTE: This attribute is only valid for search-time field extractions.

* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time. 

  "Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other

  than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as 

  well as the stripping of leading underscores and 0-9 characters from field names.

* Add CLEAN_KEYS = false to your transform if you need to extract field names that include 

  non-alphanumeric characters, or which begin with underscores or 0-9 characters.

* Defaults to true.

KEEP_EMPTY_VALS = [true|false]

* NOTE: This attribute is only valid for search-time field extractions.

* Optional. Controls whether Splunk keeps field/value pairs when the value is an empty string.

* This option does not apply to field/value pairs that are generated by Splunk's autokv 

  extraction. Autokv ignores field/value pairs with empty values.

* Defaults to false.

CAN_OPTIMIZE = [true|false]

* NOTE: This attribute is only valid for search-time field extractions.

* Optional. Controls whether Splunk can optimize this extraction out (another way of saying

  the extraction is disabled). 

* You might use this if you're running searches under a Search Mode setting that disables field 

  discovery--it ensures that Splunk *always* discovers specific fields.

* Splunk only disables an extraction if it can determine that none of the fields identified by 

  the extraction will ever be needed for the successful evaluation of a search. 

* NOTE: This option should be rarely set to false.

* Defaults to true.

#*******

# Lookup tables

#*******

# NOTE: Lookup tables are used ONLY during search time

filename = <string>

* Lookup 파일 설정.

* Lookup 파일은 해당 앱의 lookups 디렉토리에 존재해야 함. ($SPLUNK_HOME/etc/<app_name>/lookups/)

* Name of static lookup file.  

* File should be in $SPLUNK_HOME/etc/<app_name>/lookups/ for some <app_name>, or in 

  $SPLUNK_HOME/etc/system/lookups/

* If file is in multiple 'lookups' directories, no layering is done.  

* Standard conf file precedence is used to disambiguate.

* Defaults to empty string.

max_matches = <integer>

* Lookup의 최대 매치 횟수 설정.

* The maximum number of possible matches for each input lookup value (range 1 - 1000).

* If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is 

  not specified), Splunk uses the first <integer> entries, in file order.   

* If the lookup is temporal, Splunk uses the first <integer> entries in descending time order.

  In other words, up <max_matches> lookup entries will be allowed to match, and

  if more than this many the ones nearest to the lookup value will be used.

* Default = 1000 if the lookup is not temporal, default = 1 if it is temporal.

min_matches = <integer>

* Lookup의 최소 매치 횟수 설정.

* Minimum number of possible matches for each input lookup value.

* Default = 0 for both temporal and non-temporal lookups, which means that Splunk outputs 

  nothing if it cannot find any matches.

* However, if min_matches > 0, and Splunk get less than min_matches, then Splunk provides 

 the default_match value provided (see below).

default_match = <string>

* If min_matches > 0 and Splunk has less than min_matches for any given input, it provides 

  this default_match value one or more times until the min_matches threshold is reached.

* Defaults to empty string.  

case_sensitive_match = <bool>

* Lookup 시 대/소문자에 대한 매치 설정.

* If set to false, case insensitive matching will be performed for all fields in a lookup 

  table

* Defaults to true (case sensitive matching)

match_type = <string>

* Lookup 매치에 대한 유형 설정.

* CIDR의 경우 IP 클래스로 매칭할 수 있음.

* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for 

  non-exact matching

* The available match_type values are WILDCARD, CIDR, and EXACT.  EXACT is the default and 

  does not need to be specified.  Only fields that should use WILDCARD or CIDR matching should 

  be specified in this list

external_cmd = <string>

* Provides the command and arguments to invoke to perform a lookup. Use this for external 

  (or "scripted") lookups, where you interface with with an external script rather than a 

  lookup table.

* This string is parsed like a shell command.

* The first argument is expected to be a python script (or executable file) located in 

  $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts).

* Presence of this field indicates that the lookup is external and command based.

* Defaults to empty string.

fields_list = <string>

* A comma- and space-delimited list of all fields that are supported by the external command.

external_type = [python|executable]

* Type of external command.  

* "python" a python script

* "executable" a binary executable

* Defaults to "python".

time_field = <string>

* Used for temporal (time bounded) lookups. Specifies the name of the field in the lookup 

  table that represents the timestamp.

* Defaults to an empty string, meaning that lookups are not temporal by default.

time_format = <string>

* For temporal lookups this specifies the 'strptime' format of the timestamp field.

* You can include subseconds but Splunk will ignore them.

* Defaults to %s.%Q or seconds from unix epoch in UTC an optional milliseconds.

max_offset_secs = <integer>

* For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be 

  later than the lookup entry time for a match to occur.

* Default is 2000000000 (no maximum, effectively).

min_offset_secs = <integer>

* For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be 

  later than the lookup entry timestamp for a match to occur.

* Defaults to 0.

batch_index_query = <bool>

* For large file based lookups, this determines whether queries can be grouped to improve 

  search performance.

* Default is unspecified here, but defaults to true (at global level in limits.conf)

allow_caching = <bool>

* Allow output from lookup scripts to be cached

* Default is true

#*******

# KEYS:

#*******

* NOTE: Keys are case-sensitive. Use the following keys exactly as they appear.

queue : Specify which queue to send the event to (can be parsingQueue, nullQueue, indexQueue).

_raw  : The raw text of the event.

_meta : A space-separated list of metadata for an event.

_time : The timestamp of the event, in seconds since 1/1/1970 UTC.

MetaData:Host       : The host associated with the event.

                      The value must be prefixed by "host::"

_MetaData:Index     : The index where the event should be stored.

MetaData:Source     : The source associated with the event.

                      The value must be prefixed by "source::"

MetaData:Sourcetype : The sourcetype of the event.

                      The value must be prefixed by "sourcetype::"

_TCP_ROUTING        : Comma separated list of tcpout group names (from outputs.conf)

                      Defaults to groups present in 'defaultGroup' for [tcpout].

_SYSLOG_ROUTING     : Comma separated list of syslog-stanza  names (from outputs.conf)

                      Defaults to groups present in 'defaultGroup' for [syslog].

* NOTE: Any KEY (field name) prefixed by '_' is not indexed by Splunk, in general.

[accepted_keys]

<name> = <key>

* Modifies Splunk's list of key names it considers valid when automatically

  checking your transforms for use of undocumented SOURCE_KEY or DEST_KEY

  values in index-time transformations.

* By adding entries to [accepted_keys], you can tell Splunk that a key that is

  not documented is a key you intend to work for reasons that are valid in your

  environment / app / etc.

* The 'name' element is simply used to disambiguate entries, similar to -class

  entries in props.conf.  The name can be anything of your chosing, including a

  descriptive name for why you use the key.

* The entire stanza defaults to not being present, causing all keys not

  documented just above to be flagged.

#

# This file contains possible attribute/value pairs for configuring Splunk's processing

# properties via props.conf.

#

# Props.conf is commonly used for:

#

# * Configuring linebreaking for multiline events.

# * Setting up character set encoding.

# * Allowing processing of binary files.

# * Configuring timestamp recognition.

# * Configuring event segmentation.

# * Overriding Splunk's automated host and source type matching. You can use props.conf to:

#       * Configure advanced (regex-based) host and source type overrides.

#       * Override source type matching for data from a particular source.

#       * Set up rule-based source type recognition.

#       * Rename source types.

# * Anonymizing certain types of sensitive incoming data, such as credit card or social

#   security numbers, using sed scripts.

# * Routing specific events to a particular index, when you have multiple indexes.

# * Creating new index-time field extractions, including header-based field extractions.

#   NOTE: We do not recommend adding to the set of fields that are extracted at index time

#   unless it is absolutely necessary because there are negative performance implications.

# * Defining new search-time field extractions. You can define basic search-time field

#   extractions entirely through props.conf. But a transforms.conf component is required if

#   you need to create search-time field extractions that involve one or more of the following:

#       * Reuse of the same field-extracting regular expression across multiple sources,

#         source types, or hosts.

#       * Application of more than one regex to the same source, source type, or host.

#       * Delimiter-based field extractions (they involve field-value pairs that are

#         separated by commas, colons, semicolons, bars, or something similar).

#       * Extraction of multiple values for the same field (multivalued field extraction).

#       * Extraction of fields with names that begin with numbers or underscores.

# * Setting up lookup tables that look up fields from external sources.

# * Creating field aliases.

#

# NOTE: Several of the above actions involve a corresponding transforms.conf configuration.

#

# You can find more information on these topics by searching the Splunk documentation

# (http://docs.splunk.com/Documentation/Splunk).

#

# There is a props.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations,

# place a props.conf in $SPLUNK_HOME/etc/system/local/. For help, see

# props.conf.example.

#

# You can enable configurations changes made to props.conf by typing the following search string

# in Splunk Web:

#

# | extract reload=T

#

# To learn more about configuration files (including precedence) please see the documentation

# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

#

# For more information about using props.conf in conjunction with distributed Splunk

# deployments, see the Distributed Deployment Manual.

# GLOBAL SETTINGS

# Use the [default] stanza to define any global settings.

#     * You can also define global settings outside of any stanza, at the top of the file.

#     * Each conf file should have at most one default stanza. If there are multiple default

#       stanzas, attributes are combined. In the case of multiple definitions of the same

#       attribute, the last definition in the file wins.

#     * If an attribute is defined at both the global level and in a specific stanza, the

#       value in the specific stanza takes precedence.

[<spec>]

* This stanza enables properties for a given <spec>.

* A props.conf file can contain multiple stanzas for any number of different <spec>.

* Follow this stanza name with any number of the following attribute/value pairs, as appropriate

  for what you want to do.

* If you do not set an attribute for a given <spec>, the default is used.

<spec> can be:

1. <sourcetype>, the source type of an event.

2. host::<host>, where <host> is the host, or host-matching pattern, for an event.

3. source::<source>, where <source> is the source, or source-matching pattern, for an event.

4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule.

5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type

   classification rule.

These are only considered as a last resort before generating a new source type based on the

source seen.

**[<spec>] stanza precedence:**

For settings that are specified in multiple categories of matching [<spec>] stanzas,

[host::<host>] settings override [<sourcetype>] settings. Additionally,

[source::<source>] settings override both [host::<host>] and

[<sourcetype>] settings.

**Considerations for Windows file paths:**

When you specify Windows-based file paths as part of a [source::<source>] stanza, you must

escape any backslashes contained within the specified file path.

Example: [source::c:\\path_to\\file.txt]

**[<spec>] stanza patterns:**

When setting a [<spec>] stanza, you can use the following regex-type syntax:

... recurses through directories until the match is met.

*   matches anything but / 0 or more times.

|   is equivalent to 'or'

( ) are used to limit scope of |.

Example: [source::....(?<!tar.)(gz|tgz)]

**[source::<source>] and [host::<host>] stanza match language:**

Match expressions must match the entire name, not just a substring. If you are familiar

with regular expressions, match expressions are based on a full implementation of PCRE with the

translation of ..., * and . Thus . matches a period, * matches non-directory separators,

and ... matches any number of any characters.

For more information see the wildcards section at:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

**[<spec>] stanza pattern collisions:**

Suppose the source of a given input matches multiple [source::<source>] patterns. If the

[<spec>] stanzas for these patterns each supply distinct settings, Splunk applies all of these

settings.

However, suppose two [<spec>] stanzas supply the same setting. In this case, Splunk chooses

the value to apply based on the ASCII order of the patterns in question.

For example, take this source:

    source::az

and the following colliding patterns:

    [source::...a...]

    sourcetype = a

    [source::...z...]

    sourcetype = z

In this case, the settings provided by the pattern [source::...a...] take precedence over those

provided by [source::...z...], and sourcetype ends up with "a" as its value.

To override this default ASCII ordering, use the priority key:

    [source::...a...]

    sourcetype = a

    priority = 5

    [source::...z...]

    sourcetype = z

    priority = 10

Assigning a higher priority to the second stanza causes sourcetype to have the value "z".

**Case-sensitivity for [<spec>] stanza matching:**

By default, [source::<source>] and [<sourcetype>] stanzas match in a case-sensitive manner,

while [host::<host>] stanzas match in a case-insensitive manner. This is a convenient default,

given that DNS names are case-insensitive.

To force a [host::<host>] stanza to match in a case-sensitive manner use the "(?-i)" option in

its pattern.

For example:

    [host::foo]

    FIELDALIAS-a = a AS one

    [host::(?-i)bar]

    FIELDALIAS-b = b AS two

The first stanza will actually apply to events with host values of "FOO" or

"Foo" . The second stanza, on the other hand, will not apply to events with

host values of "BAR" or "Bar".

**Building the final [<spec>] stanza:**

The final [<spec>] stanza is built by layering together (1) literal-matching stanzas (stanzas

which match the string literally) and (2) any regex-matching stanzas, according to the value of

the priority field.

If not specified, the default value of the priority key is:

* 0 for pattern-matching stanzas.

* 100 for literal-matching stanzas.

NOTE: Setting the priority key to a value greater than 100 causes the pattern-matched [<spec>]

stanzas to override the values of the literal-matching [<spec>] stanzas.

The priority key can also be used to resolve collisions between [<sourcetype>] patterns and

[host::<host>] patterns. However, be aware that the priority key does *not* affect precedence

across <spec> types. For example, [<spec>] stanzas with [source::<source>] patterns take

priority over stanzas with [host::<host>] and [<sourcetype>] patterns, regardless of their

respective priority key values.

#******************************************************************************

# The possible attributes/value pairs for props.conf, and their

# default values, are:

#******************************************************************************

# International characters and character encoding.

CHARSET = <string>

* 로그의 문자열에 대한 설정.

* 기본값은 ASCII임.

* When set, Splunk assumes the input from the given [<spec>] is in the specified encoding.

* Can only be used as the basis of [<sourcetype>] or [source::<spec>], not [host::<spec>].

* A list of valid encodings can be retrieved using the command "iconv -l" on most *nix systems.

* If an invalid encoding is specified, a warning is logged during initial configuration and

  further input from that [<spec>] is discarded.

* If the source encoding is valid, but some characters from the [<spec>] are not valid in the

  specified encoding, then the characters are escaped as hex (for example, "\xF3").

* When set to "AUTO", Splunk attempts to automatically determine the character encoding and

  convert text from that encoding to UTF-8.

* For a complete list of the character sets Splunk automatically detects, see the online

  documentation.

* Defaults to ASCII.

#******************************************************************************

# Line breaking

#******************************************************************************

# Use the following attributes to define the length of a line.

TRUNCATE = <non-negative integer>

* 한 줄의 최대 bytes 설정.

* 기본 10,000 bytes 이며, 0으로 설정 시 trunacation하지 않음.

* Change the default maximum line length (in bytes).

* Although this is in bytes, line length is rounded down when this would

  otherwise land mid-character for multi-byte characters.

* Set to 0 if you never want truncation (very long lines are, however, often a sign of

  garbage data).

* Defaults to 10000 bytes.

LINE_BREAKER = <regular expression>

* 한 줄의 마지막 형태를 regex로 설정.

* 이벤트의 정규화를 통해 각 이벤트에 대한 구분 설정 가능.

* Specifies a regex that determines how the raw text stream is broken into initial events,

  before line merging takes place. (See the SHOULD_LINEMERGE attribute, below)

* Defaults to ([\r\n]+), meaning data is broken into an event for each line, delimited by 

  any number of carriage return or newline characters.

* The regex must contain a capturing group -- a pair of parentheses which

  defines an identified subcomponent of the match.

* Wherever the regex matches, Splunk considers the start of the first

  capturing group to be the end of the previous event, and considers the end

  of the first capturing group to be the start of the next event.

* The contents of the first capturing group are discarded, and will not be

  present in any event.  You are telling Splunk that this text comes between

  lines.

* NOTE: You get a significant boost to processing speed when you use LINE_BREAKER to delimit

  multiline events (as opposed to using SHOULD_LINEMERGE to reassemble individual lines into

  multiline events).

  * When using LINE_BREAKER to delimit events, SHOULD_LINEMERGE should be set

    to false, to ensure no further combination of delimited events occurs.

  * Using LINE_BREAKER to delimit events is discussed in more detail in the web 

    documentation at the following url: 

    http://docs.splunk.com/Documentation/Splunk/latest/Data/indexmulti-lineevents

** Special considerations for LINE_BREAKER with branched expressions  **

When using LINE_BREAKER with completely independent patterns separated by

pipes, some special issues come into play.

    EG. LINE_BREAKER = pattern1|pattern2|pattern3

Note, this is not about all forms of alternation, eg there is nothing

particular special about

    example: LINE_BREAKER = ([\r\n])+(one|two|three)

where the top level remains a single expression.

A caution: Relying on these rules is NOT encouraged.  Simpler is better, in

both regular expressions and the complexity of the behavior they rely on.

If possible, it is strongly recommended that you reconstruct your regex to

have a leftmost capturing group that always matches.

It may be useful to use non-capturing groups if you need to express a group

before the text to discard.

    EG. LINE_BREAKER = (?:one|two)([\r\n]+)

    * This will match the text one, or two, followed by any amount of newlines

      or carriage returns.  The one-or-two group is non-capturing via the ?:

      prefix and will be skipped by LINE_BREAKER.

* A branched expression can match without the first capturing group matching,

  so the line breaker behavior becomes more complex.

  Rules:

  1: If the first capturing group is part of a match, it is considered the

     linebreak, as normal.

  2: If the first capturing group is not part of a match, the leftmost

     capturing group which is part of a match will be considered the linebreak.

  3: If no capturing group is part of the match, the linebreaker will assume

     that the linebreak is a zero-length break immediately preceding the match.

Example 1:  LINE_BREAKER = end(\n)begin|end2(\n)begin2|begin3

  * A line ending with 'end' followed a line beginning with 'begin' would

    match the first branch, and the first capturing group would have a match

    according to rule 1.  That particular newline would become a break

    between lines.

  * A line ending with 'end2' followed by a line beginning with 'begin2'

    would match the second branch and the second capturing group would have a

    match.  That second capturing group would become the linebreak according

    to rule 2, and the associated newline would become a break between lines.

  * The text 'begin3' anywhere in the file at all would match the third

    branch, and there would be no capturing group with a match.  A linebreak

    would be assumed immediately prior to the text 'begin3' so a linebreak

    would be inserted prior to this text in accordance with rule 3.

    This means that a linebreak will occur before the text 'begin3' at any

    point in the text, whether a linebreak character exists or not.

Example 2: Example 1 would probably be better written as follows.  This is

           not equivalent for all possible files, but for most real files

           would be equivalent.

           LINE_BREAKER = end2?(\n)begin(2|3)?

LINE_BREAKER_LOOKBEHIND = <integer>

* When there is leftover data from a previous raw chunk, LINE_BREAKER_LOOKBEHIND indicates the

  number of bytes before the end of the raw chunk (with the next chunk concatenated) that

  Splunk applies the LINE_BREAKER regex. You may want to increase this value from its default

  if you are dealing with especially large or multiline events.

* Defaults to 100 (bytes).

# Use the following attributes to specify how multiline events are handled.

SHOULD_LINEMERGE = [true|false]

* 다수 라인(multiline)의 이벤트를 위한 설정.

* true일 경우 LINE_BREAKER 옵션에 따라 하나의 이벤트를 인식함.

* When set to true, Splunk combines several lines of data into a single multiline event, based

  on the following configuration attributes.

* Defaults to true.

# When SHOULD_LINEMERGE is set to true, use the following attributes to define how Splunk builds

# multiline events.

BREAK_ONLY_BEFORE_DATE = [true|false]

* When set to true, Splunk creates a new event only if it encounters a new line with a date.

  * Note, when using DATETIME_CONFIG = CURRENT or NONE, this setting is not meaningful, as

    timestamps are not identified.

* Defaults to true.

BREAK_ONLY_BEFORE = <regular expression>

* When set, Splunk creates a new event only if it encounters a new line that matches the

  regular expression.

* Defaults to empty.

MUST_BREAK_AFTER = <regular expression>

* When set and the regular expression matches the current line, Splunk creates a new event for

  the next input line.

* Splunk may still break before the current line if another rule matches.

* Defaults to empty.

MUST_NOT_BREAK_AFTER = <regular expression>

* When set and the current line matches the regular expression, Splunk does not break on any

  subsequent lines until the MUST_BREAK_AFTER expression matches.

* Defaults to empty.

MUST_NOT_BREAK_BEFORE = <regular expression>

* When set and the current line matches the regular expression, Splunk does not break the

  last event before the current line.

* Defaults to empty.

MAX_EVENTS = <integer>

* 다수 라인(multiline)의 이벤트의 경우 최대 라인 수를 설정.

* 기본값은 256 (lines)임.

* Specifies the maximum number of input lines to add to any event.

* Splunk breaks after the specified number of lines are read.

* Defaults to 256 (lines).

#******************************************************************************

# Timestamp extraction configuration

#******************************************************************************

DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>

* Specifies which file configures the timestamp extractor, which identifies timestamps from the

  event text.

* This configuration may also be set to "NONE" to prevent the timestamp extractor from running

  or "CURRENT" to assign the current system time to each event.

  * "CURRENT" will set the time of the event to the time that the event was merged from lines, or

    worded differently, the time it passed through the aggregator processor.

  * "NONE" will leave the event time set to whatever time was selected by the input layer

    * For data sent by splunk forwarders over the splunk protocol, the input layer will be the time

      that was selected on the forwarder by its input behavior (as below).

    * For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on

      the file being read.

    * For other inputs, the time chosen will be the current system time when the event is read from

      the pipe/socket/etc.

  * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so

    the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as

    desired.  When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_*

    settings to control event merging.

* Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).

TIME_PREFIX = <regular expression>

* Time 필드 혹은 Time 정보의 Prefix regex를 설정.

* If set, splunk scans the event text for a match for this regex in event text before attempting 

  to extract a timestamp.

* The timestamping algorithm only looks for a timestamp in the text following the end of the 

  first regex match.

* For example, if TIME_PREFIX is set to "abc123", only text following the first occurrence of the 

  text abc123 will be used for timestamp extraction.

* If the TIME_PREFIX cannot be found in the event text, timestamp extraction will not occur.

* Defaults to empty.

MAX_TIMESTAMP_LOOKAHEAD = <integer>

* Specifies how far (in characters) into an event Splunk should look for a timestamp.

* This constraint to timestamp extraction is applied from the point of the TIME_PREFIX-set location.

* For example, if TIME_PREFIX positions a location 11 characters into the event, and 

  MAX_TIMESTAMP_LOOKAHEAD is set to 10, timestamp extraction will be constrained to characters 

  11 through 20.

* If set to 0, or -1, the length constraint for timestamp recognition is

  effectively disabled.  This can have negative performance implications which

  scale with the length of input lines (or with event size when LINE_BREAKER

  is redefined for event splitting).

* Defaults to 150 (characters).

TIME_FORMAT = <strptime-style format>

* 실제 Time 정보의 형태를 설정.

* Specifies a strptime format string to extract the date.

* strptime is an industry standard for designating time formats.

* For more information on strptime, see "Configure timestamp recognition" in

  the online documentation.

* TIME_FORMAT starts reading after the TIME_PREFIX. If both are specified, the TIME_PREFIX

  regex must match up to and including the character before the TIME_FORMAT date.

* For good results, the <strptime-style format> should describe the day of the year and the

  time of day.

* Defaults to empty.

TZ = <timezone identifier>

* 해당 Time이 어떠한 Timezone인지 설정.

* The algorithm for determining the time zone for a particular event is as follows:

* If the event has a timezone in its raw text (for example, UTC, -08:00), use that.

* If TZ is set to a valid timezone string, use that.

* Otherwise, use the timezone of the system that is running splunkd.

* Defaults to empty.

TZ_ALIAS = <key=value>[,<key=value>]...

* Provides splunk admin-level control over how timezone strings extracted from events are

  interpreted.

  * For example, EST can mean Eastern (US) Standard time, or Eastern (Australian) Standard time.

    There are many other three letter timezone acronyms with many expansions.

* There is no requirement to use TZ_ALIAS if the traditional Splunk default mappings for these

  values have been as expected.  For example, EST maps to the Eastern US by default.

* Has no effect on TZ value; this only affects timezone strings from event text, either from

  any configured TIME_FORMAT, or from pattern-based guess fallback.

* The setting is a list of key=value pairs, separated by commas.

  * The key is matched against the text of the timezone specifier of the event, and the value is the

    timezone specifier to use when mapping the timestamp to UTC/GMT. 

  * The value is another TZ specifier which expresses the desired offset.

  * Example: TZ_ALIAS = EST=GMT+10:00 (See props.conf.example for more/full examples)

* Defaults to unset.

MAX_DAYS_AGO = <integer>

* Specifies the maximum number of days past, from the current date, that an extracted date

  can be valid.

* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.

* Defaults to 2000 (days), maximum 10951.

* IMPORTANT: If your data is older than 2000 days, increase this setting.

MAX_DAYS_HENCE = <integer>

* Specifies the maximum number of days in the future from the current date that an extracted

  date can be valid.

* For example, if MAX_DAYS_HENCE = 3, dates that are more than 3 days in the future are ignored.

* The default value includes dates from one day in the future.

* If your servers have the wrong date set or are in a timezone that is one day ahead, increase

  this value to at least 3.

* Defaults to 2 (days), maximum 10950.

* IMPORTANT:False positives are less likely with a tighter window, change with caution.

MAX_DIFF_SECS_AGO = <integer>

* If the event's timestamp is more than <integer> seconds BEFORE the previous timestamp, only

  accept the event if it has the same exact time format as the majority of timestamps from the 

  source.

* IMPORTANT: If your timestamps are wildly out of order, consider increasing this value.

* Note: if the events contain time but not date (date determined another way, such as from a

  filename) this check will only consider the hour. (No one second granularity for this purpose.)

* Defaults to 3600 (one hour), maximum 2147483646.

MAX_DIFF_SECS_HENCE = <integer>

* If the event's timestamp is more than <integer> seconds AFTER the previous timestamp, only

  accept the event if it has the same exact time format as the majority of timestamps from the 

  source.

* IMPORTANT: If your timestamps are wildly out of order, or you have logs that are written

  less than once a week, consider increasing this value.

* Defaults to 604800 (one week), maximum 2147483646.

#******************************************************************************

# Structured Data Header Extraction and configuration

#******************************************************************************

INDEXED_EXTRACTIONS = < CSV|W3C|TSV|PSV >

* Specifies Splunk the type of file and the extraction and/or parsing method Splunk should use

  on the file.

* The default value is set to CSV.

PREAMBLE_REGEX = <regex>

* Some files contain preamble lines. This attribute specifies a regular expression which

  allows Splunk to ignore these preamble lines, based on the pattern specified.

FIELD_HEADER_REGEX = <regex>

* A regular expression that specifies a pattern for prefixed headers. Note that the actual header

  starts after the pattern and it is not included in the header field.

* Special characters are supported in this attribute.

HEADER_FIELD_LINE_NUMBER = <integer>

* Specifies Splunk the line number of the line within the file that contains the header fields.

  If set to 0, Splunk attempts to locate the header fields within the file automatically.

* The default value is set to 0.

FIELD_DELIMITER = <character>

* Specifies Splunk which character delimits or separates fields in the specified file or source.

* Special characters are supported in this attribute.

FIELD_QUOTE = <character>

* Specifies Splunk the character to use for quotes in the specified file or source.

* Special characters are supported in this attribute.

TIMESTAMP_FIELDS = [ <string>,..., <string>] 

* Some CSV and structured files have their timestamp encompass multiple fields in the event 

  separated by delimiters. This attribue tells Splunk to specify all such fields which

  constitute the timestamp in a comma-separated fashion.

* If not specified, splunk tries to automatically extract the timestamp of the event.

FIELD_NAMES = [ <string>,..., <string>] 

* Some CSV and structured files might have missing headers. This attribute tells Splunk to

  specify the header field names directly.

#******************************************************************************

# Field extraction configuration

#******************************************************************************

NOTE: If this is your first time configuring field extractions in props.conf, review

the following information first.

There are three different "field extraction types" that you can use to configure field

extractions: TRANSFORMS, REPORT, and EXTRACT. They differ in two significant ways: 1) whether

they create indexed fields (fields extracted at index time) or extracted fields (fields

extracted at search time), and 2), whether they include a reference to an additional component

called a "field transform," which you define separately in transforms.conf.

**Field extraction configuration: index time versus search time**

Use the TRANSFORMS field extraction type to create index-time field extractions. Use the

REPORT or EXTRACT field extraction types to create search-time field extractions.

NOTE: Index-time field extractions have performance implications. Creating additions to

Splunk's default set of indexed fields is ONLY recommended in specific circumstances.

Whenever possible, extract fields only at search time.

There are times when you may find that you need to change or add to your set of indexed

fields. For example, you may have situations where certain search-time field extractions are

noticeably impacting search performance. This can happen when the value of a search-time

extracted field exists outside of the field more often than not. For example, if you commonly

search a large event set with the expression company_id=1 but the value 1 occurs in many

events that do *not* have company_id=1, you may want to add company_id to the list of fields

extracted by Splunk at index time. This is because at search time, Splunk will want to check

each instance of the value 1 to see if it matches company_id, and that kind of thing slows

down performance when you have Splunk searching a large set of data.

Conversely, if you commonly search a large event set with expressions like company_id!=1

or NOT company_id=1, and the field company_id nearly *always* takes on the value 1, you

may want to add company_id to the list of fields extracted by Splunk at index time.

For more information about index-time field extraction, search the documentation for

"index-time extraction." For more information about search-time field extraction, search

the online documentation for "search-time extraction."

**Field extraction configuration: field transforms vs. "inline" (props.conf only) configs**

The TRANSFORMS and REPORT field extraction types reference an additional component called

a field transform, which you define separately in transforms.conf. Field transforms contain

a field-extracting regular expression and other attributes that govern the way that the

transform extracts fields. Field transforms are always created in conjunction with field

extraction stanzas in props.conf; they do not stand alone.

The EXTRACT field extraction type is considered to be "inline," which means that it does

not reference a field transform. It contains the regular expression that Splunk uses to

extract fields at search time. You can use EXTRACT to define a field extraction entirely

within props.conf--no transforms.conf component is required.

**Search-time field extractions: Why use REPORT if EXTRACT will do?**

It's a good question. And much of the time, EXTRACT is all you need for search-time field

extraction. But when you build search-time field extractions, there are specific cases that

require the use of REPORT and the field transform that it references. Use REPORT if you want

to:

        * Reuse the same field-extracting regular expression across multiple sources, source

          types, or hosts. If you find yourself using the same regex to extract fields across

          several different sources, source types, and hosts, set it up as a transform, and then

          reference it in REPORT extractions in those stanzas. If you need to update the regex

          you only have to do it in one place. Handy!

        * Apply more than one field-extracting regular expression to the same source, source

          type, or host. This can be necessary in cases where the field or fields that you want

          to extract from a particular source, source type, or host appear in two or more very

          different event patterns.

        * Use a regular expression to extract fields from the values of another field (also

          referred to as a "source key").

        * Set up delimiter-based field extractions. Useful if your event data presents

          field-value pairs (or just field values) separated by delimiters such as commas,

          spaces, bars, and so on.

        * Configure extractions for multivalued fields. You can have Splunk append additional

          values to a field as it finds them in the event data.

        * Extract fields with names beginning with numbers or underscores. Ordinarily, Splunk's

          key cleaning functionality removes leading numeric characters and underscores from

          field names. If you need to keep them, configure your field transform to turn key

          cleaning off.

        * Manage formatting of extracted fields, in cases where you are extracting multiple fields,

          or are extracting both the field name and field value.

**Precedence rules for TRANSFORMS, REPORT, and EXTRACT field extraction types**

* For each field extraction, Splunk takes the configuration from the highest precedence

  configuration stanza (see precedence rules at the beginning of this file).

* If a particular field extraction is specified for a source and a source type, the field

  extraction for source wins out.

* Similarly, if a particular field extraction is specified in ../local/ for a <spec>, it

  overrides that field extraction in ../default/.

TRANSFORMS-<class> = <transform_stanza_name>, <transform_stanza_name2>,...

* 데이터 변경을 위한 TRANSFORMS 클래스 설정.

* 해당 설정의 transform_stanza_name은 transforms.conf에 정의되어야 함.

* Used for creating indexed fields (index-time field extractions).

* <class> is a unique literal string that identifies the namespace of the field you're extracting.

  **Note:** <class> values do not have to follow field name syntax restrictions. You can use 

  characters other than a-z, A-Z, and 0-9, and spaces are allowed. <class> values are not subject

  to key cleaning. 

* <transform_stanza_name> is the name of your stanza from transforms.conf.

* Use a comma-separated list to apply multiple transform stanzas to a single TRANSFORMS

  extraction. Splunk applies them in the list order. For example, this sequence ensures that

  the [yellow] transform stanza gets applied first, then [blue], and then [red]:

        [source::color_logs]

        TRANSFORMS-colorchange = yellow, blue, red

REPORT-<class> = <transform_stanza_name>, <transform_stanza_name2>,...

* Used for creating extracted fields (search-time field extractions) that reference one or more

  transforms.conf stanzas.

* <class> is a unique literal string that identifies the namespace of the field you're extracting.

  **Note:** <class> values do not have to follow field name syntax restrictions. You can use 

  characters other than a-z, A-Z, and 0-9, and spaces are allowed. <class> values are not subject

  to key cleaning. 

* <transform_stanza_name> is the name of your stanza from transforms.conf.

* Use a comma-separated list to apply multiple transform stanzas to a single REPORT extraction.

  Splunk applies them in the list order. For example, this sequence insures that the [yellow]

  transform stanza gets applied first, then [blue], and then [red]:

        [source::color_logs]

        REPORT-colorchange = yellow, blue, red

EXTRACT-<class> = [<regex>|<regex> in <src_field>]

* 필드 추출에 대한 설정.

* Used to create extracted fields (search-time field extractions) that do not reference

  transforms.conf stanzas.

* Performs a regex-based field extraction from the value of the source field.

* <class> is a unique literal string that identifies the namespace of the field you're extracting.

  **Note:** <class> values do not have to follow field name syntax restrictions. You can use 

  characters other than a-z, A-Z, and 0-9, and spaces are allowed. <class> values are not subject

  to key cleaning. 

* The <regex> is required to have named capturing groups. When the <regex> matches, the named

  capturing groups and their values are added to the event.

* Use '<regex> in <src_field>' to match the regex against the values of a specific field.

  Otherwise it just matches against _raw (all raw event data).

* NOTE: <src_field> can only contain alphanumeric characters (a-z, A-Z, and 0-9).

* If your regex needs to end with 'in <string>' where <string> is *not* a field name, change

  the regex to end with '[i]n <string>' to ensure that Splunk doesn't try to match <string>

  to a field name.

KV_MODE = [none|auto|auto_escaped|multi|json|xml]

* Key-Value 모드를 설정.

* Used for search-time field extractions only.

* Specifies the field/value extraction mode for the data.

* Set KV_MODE to one of the following:

        * none: if you want no field/value extraction to take place.

        * auto: extracts field/value pairs separated by equal signs.

        * auto_escaped: extracts fields/value pairs separated by equal signs and honors \" and \\ 

          as escaped sequences within quoted values, e.g field="value with \"nested\" quotes"

        * multi: invokes the multikv search command to expand a tabular event into multiple events.

* xml : automatically extracts fields from XML data.

* json: automatically extracts fields from JSON data.

* Setting to 'none' can ensure that one or more user-created regexes are not overridden by

  automatic field/value extraction for a particular host, source, or source type, and also

  increases search performance.

* Defaults to auto.

* The 'xml' and 'json' modes will not extract any fields when used on data that isn't of the 

  correct format (JSON or XML).

CHECK_FOR_HEADER = [true|false]

* Used for index-time field extractions only.

* Set to true to enable header-based field extraction for a file.

* If the file has a list of columns and each event contains a field value (without field name), 

  Splunk picks a suitable header line to use to for extracting field names.

* If the file has a list of columns and each event contains a field value (without a field

  name), Splunk picks a suitable header line to use for field extraction.

* Can only be used on the basis of [<sourcetype>] or [source::<spec>], not [host::<spec>].

* Disabled when LEARN_SOURCETYPE = false.

* Will cause the indexed source type to have an appended numeral; for example, sourcetype-2,

  sourcetype-3, and so on.

* The field names are stored in etc/apps/learned/local/props.conf.

  * Because of this, this feature will not work in most environments where the

    data is forwarded.

* Defaults to false.

SEDCMD-<class> = <sed script>

* Only used at index time.

* Commonly used to anonymize incoming data at index time, such as credit card or social

  security numbers. For more information, search the online documentation for "anonymize

  data."

* Used to specify a sed script which Splunk applies to the _raw field.

* A sed script is a space-separated list of sed commands. Currently the following subset of

  sed commands is supported:

        * replace (s) and character substitution (y).

* Syntax:

        * replace - s/regex/replacement/flags

                * regex is a perl regular expression (optionally containing capturing groups).

                * replacement is a string to replace the regex match. Use \n for backreferences,

                  where "n" is a single digit.

                * flags can be either: g to replace all matches, or a number to replace a specified

                  match.

        * substitute - y/string1/string2/

                * substitutes the string1[i] with string2[i]

LOOKUP-<class> = $TRANSFORM (<match_field> (AS <match_field_in_event>)?)+ (OUTPUT|OUTPUTNEW 

(<output_field> (AS <output_field_in_event>)? )+ )?

* At search time, identifies a specific lookup table and describes how that lookup table should

  be applied to events.

* <match_field> specifies a field in the lookup table to match on.

        * By default Splunk looks for a field with that same name in the event to match with

          (if <match_field_in_event> is not provided)

        * You must provide at least one match field. Multiple match fields are allowed.

* <output_field> specifies a field in the lookup entry to copy into each matching event,

  where it will be in the field <output_field_in_event>.

        * If you do not specify an <output_field_in_event> value, Splunk uses <output_field>.

        * A list of output fields is not required.

* If they are not provided, all fields in the lookup table except for the match fields (and

  the timestamp field if it is specified) will be output for each matching event.

* If the output field list starts with the keyword "OUTPUTNEW" instead of "OUTPUT",

  then each outputfield is only written out if it did not previous exist. Otherwise,

  the output fields are always overridden. Any event that has all of the <match_field> values

  but no matching entry in the lookup table clears all of the output fields.

  NOTE that OUTPUTNEW behavior has changed since 4.1.x (where *none* of the output fields were

  written to if *any* of the output fields previously existed)

* The LOOKUP- prefix is actually case-insensitive. Acceptable variants include:

        LOOKUP_<class> = [...]

        LOOKUP<class>  = [...]

        lookup_<class> = [...]

        lookup<class>  = [...]

FIELDALIAS-<class> = (<orig_field_name> AS <new_field_name>)+

* 필드 별칭 설정.

* Use this to apply aliases to a field. The original field is not removed. This just means

  that the original field can be searched on using any of its aliases.

* You can create multiple aliases for the same field.

* <orig_field_name> is the original name of the field.

* <new_field_name> is the alias to assign to the field.

* You can include multiple field alias renames in the same stanza.

* Field aliasing is performed at search time, after field extraction, but before lookups.

  This means that:

        * Any field extracted at search time can be aliased.

        * You can specify a lookup based on a field alias.

EVAL-<fieldname> = <eval statement>

* Use this to automatically run the <eval statement> and assign the 

  value of the output to <fieldname>.  This feature is referred to as 'calculated fields'.

* When multiple EVAL-* statements are specified, they behave as if 

  they are run in parallel, rather than in any particular sequence.  

  This means that if you have e.g. EVAL-x=y*2, EVAL-y=100, x will be 

  assigned the original value of y * 2, not the value of y after it is set to 100.

* All field calculations will done after field aliasing but before lookups.  This

  means you can lookup based on the value of a calculated field

#******************************************************************************

# Binary file configuration

#******************************************************************************

NO_BINARY_CHECK = [true|false]

* 바이너리 파일에 대한 설정.

* 기본은 false로 바이너리 파일을 무시하게 됨.

* When set to true, Splunk processes binary files.

* Can only be used on the basis of [<sourcetype>], or [source::<source>], not [host::<host>].

* Defaults to false (binary files are ignored).

detect_trailing_nulls = [auto|true|false]

* When enabled, Splunk will try to avoid reading in null bytes at the end of a file.

* When false, splunk will assume that all the bytes in the file should be read and indexed.

* Set this value to false for UTF-16 and other encodings (CHARSET) values that

  can have null bytes as part of the character text.

* Subtleties of 'true' vs 'auto':

  * 'true' is the splunk-on-windows historical behavior of trimming all null bytes.

  * 'auto' is currently a synonym for true but will be extended to be sensitive

    to the charset selected (ie quantized for multi-byte encodings, and

    disabled for unsafe variable-width encdings)

* This feature was introduced to work around programs which foolishly

  pre-allocate their log files with nulls and fill in data later.  The

  well-known case is Internet Information Server.

* Defaults to false on *nix, true on windows.

#******************************************************************************

# Segmentation configuration

#******************************************************************************

SEGMENTATION = <segmenter>

* Specifies the segmenter from segmenters.conf to use at index time for the host,

  source, or sourcetype specified by <spec> in the stanza heading.

* Defaults to indexing.

SEGMENTATION-<segment selection> = <segmenter>

* Specifies that Splunk Web should use the specific segmenter (from segmenters.conf) for the

  given <segment selection> choice.

* Default <segment selection> choices are: all, inner, outer, raw. For more information

  see the Admin Manual.

* Do not change the set of default <segment selection> choices, unless you have some overriding

  reason for doing so. In order for a changed set of <segment selection> choices to appear in

  Splunk Web, you will need to edit the Splunk Web UI.

#******************************************************************************

# File checksum configuration

#******************************************************************************

CHECK_METHOD = [endpoint_md5|entire_md5|modtime]

* Set CHECK_METHOD endpoint_md5 to have Splunk checksum of the first and last 256 bytes of a

  file. When it finds matches, Splunk lists the file as already indexed and indexes only new

  data, or ignores it if there is no new data.

* Set CHECK_METHOD = entire_md5 to use the checksum of the entire file.

* Set CHECK_METHOD = modtime to check only the modification time of the file.

* Settings other than endpoint_md5 cause Splunk to index the entire file for each detected

  change.

* Defaults to endpoint_md5.

* Important: this option is only valid for [source::<source>] stanzas.  

initCrcLength = <integer>

* See documentation in inputs.conf.spec.

#******************************************************************************

# Small file settings

#******************************************************************************

PREFIX_SOURCETYPE = [true|false]

* NOTE: this attribute is only relevant to the "[too_small]" sourcetype.

* Determines the source types that are given to files smaller than 100 lines, and are therefore

  not classifiable.

* PREFIX_SOURCETYPE = false sets the source type to "too_small."

* PREFIX_SOURCETYPE = true sets the source type to "<sourcename>-too_small", where "<sourcename>"

  is a cleaned up version of the filename.

        * The advantage of PREFIX_SOURCETYPE = true is that not all small files are classified as

          the same source type, and wildcard searching is often effective.

        * For example, a Splunk search of "sourcetype=access*" will retrieve "access" files as well

          as "access-too_small" files.

* Defaults to true.

#******************************************************************************

# Sourcetype configuration

#******************************************************************************

sourcetype = <string>

* Can only be set for a [source::...] stanza.

* Anything from that <source> is assigned the specified source type.

* Defaults to empty.

# The following attribute/value pairs can only be set for a stanza that begins

# with [<sourcetype>]:

rename = <string>

* Renames [<sourcetype>] as <string>

* With renaming, you can search for the [<sourcetype>] with sourcetype=<string>

* To search for the original source type without renaming it, use the field _sourcetype.

* Data from a a renamed sourcetype will only use the search-time configuration for the target 

  sourcetype. Field extractions (REPORTS/EXTRAXCT) for this stanza sourcetype will be ignored.

* Defaults to empty.

invalid_cause = <string>

* Can only be set for a [<sourcetype>] stanza.

* Splunk does not index any data with invalid_cause set.

* Set <string> to "archive" to send the file to the archive processor (specified in

  unarchive_cmd).

* Set to any other string to throw an error in the splunkd.log if you are running

  Splunklogger in debug mode.

* Defaults to empty.

is_valid = [true|false]

* Automatically set by invalid_cause.

* DO NOT SET THIS.

* Defaults to true.

unarchive_cmd = <string>

* Only called if invalid_cause is set to "archive".

* This field is only valid on [source::<source>] stanzas.

* <string> specifies the shell command to run to extract an archived source.

* Must be a shell command that takes input on stdin and produces output on stdout.

* Use _auto for Splunk's automatic handling of archive files (tar, tar.gz, tgz, tbz, tbz2, zip)

* Defaults to empty.

unarchive_sourcetype = <string>

* Sets the source type of the contents of the matching archive file. Use this field instead

  of the sourcetype field to set the source type of archive files that have the following

  extensions: gz, bz, bz2, Z.

* If this field is empty (for a matching archive file props lookup) Splunk strips off the

  archive file's extension (.gz, bz etc) and lookup another stanza to attempt to determine the

  sourcetype.

* Defaults to empty.

LEARN_SOURCETYPE = [true|false]

* Determines whether learning of known or unknown sourcetypes is enabled.

        * For known sourcetypes, refer to LEARN_MODEL.

        * For unknown sourcetypes, refer to the rule:: and delayedrule:: configuration (see below).

* Setting this field to false disables CHECK_FOR_HEADER as well (see above).

* Defaults to true.

LEARN_MODEL = [true|false]

* For known source types, the file classifier adds a model file to the learned directory.

* To disable this behavior for diverse source types (such as sourcecode, where there is no good

exemplar to make a sourcetype) set LEARN_MODEL = false.

* Defaults to false.

maxDist = <integer>

* Determines how different a source type model may be from the current file.

* The larger the maxDist value, the more forgiving Splunk will be with differences.

        * For example, if the value is very small (for example, 10), then files of the specified

          sourcetype should not vary much.

        * A larger value indicates that files of the given source type can vary quite a bit.

* If you're finding that a source type model is matching too broadly, reduce its maxDist

  value by about 100 and try again. If you're finding that a source type model is being too

  restrictive, increase its maxDist value by about 100 and try again.

* Defaults to 300.

# rule:: and delayedrule:: configuration

MORE_THAN<optional_unique_value>_<number> = <regular expression> (empty)

LESS_THAN<optional_unique_value>_<number> = <regular expression> (empty)

An example:

[rule::bar_some]

sourcetype = source_with_lots_of_bars

# if more than 80% of lines have "----", but fewer than 70% have "####" declare this a

# "source_with_lots_of_bars"

MORE_THAN_80 = ----

LESS_THAN_70 = ####

A rule can have many MORE_THAN and LESS_THAN patterns, and all are required for the rule

to match.

#******************************************************************************

# Annotation Processor configured

#******************************************************************************

ANNOTATE_PUNCT = [true|false]

* Determines whether to index a special token starting with "punct::"

        * The "punct::" key contains punctuation in the text of the event.

          It can be useful for finding similar events

        * If it is not useful for your dataset, or if it ends up taking

          too much space in your index it is safe to disable it

* Defaults to true.

#******************************************************************************

# Header Processor configuration

#******************************************************************************

HEADER_MODE = <empty> | always | firstline | none

* Determines whether to use the inline ***SPLUNK*** directive to rewrite index-time fields.

        * If "always", any line with ***SPLUNK*** can be used to rewrite index-time fields.

        * If "firstline", only the first line can be used to rewrite index-time fields.

        * If "none", the string ***SPLUNK*** is treated as normal data.

        * If <empty>, scripted inputs take the value "always" and file inputs take the value "none".

* Defaults to <empty>.

#******************************************************************************

# Internal settings

#******************************************************************************

# NOT YOURS. DO NOT SET.

_actions = <string>

* Internal field used for user-interface control of objects.

* Defaults to "new,edit,delete".

pulldown_type = <bool>

* Internal field used for user-interface control of source types.

* Defaults to empty.

given_type = <string>

* Internal field used by the CHECK_FOR_HEADER feature to remember the original sourcetype.

* Default to unset.

#   Version 6.0

#

# Forwarders require outputs.conf; non-forwarding Splunk instances do not use it.  It determines how the 

# forwarder sends data to receiving Splunk instances, either indexers or other forwarders.

#

# To configure forwarding, create an outputs.conf file in $SPLUNK_HOME/etc/system/local/. 

# For examples of its use, see outputs.conf.example.

#

# You must restart Splunk to enable configurations.

#

# To learn more about configuration files (including precedence) please see the documentation 

# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

#

# NOTE: To learn more about forwarding, see the documentation at 

# http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutforwardingandreceivingdata

# GLOBAL SETTINGS

# Use the [default] stanza to define any global settings.

#     * You can also define global settings outside of any stanza, at the top of the file.

#     * Each conf file should have at most one default stanza. If there are multiple default

#       stanzas, attributes are combined. In the case of multiple definitions of the same

#       attribute, the last definition in the file wins.

#     * If an attribute is defined at both the global level and in a specific stanza, the

#       value in the specific stanza takes precedence.

############

TCP Output stanzas

############

# There are three levels of TCP Output stanzas: 

# * Global: [tcpout]

# * Target group: [tcpout:<target_group>]

# * Single server: [tcpout-server://<ip address>:<port>]

#

# Settings at more specific levels override settings at higher levels. For example, an attribute set for a single

# server overrides the value of that attribute, if any, set at that server's target group stanza. See the online 

# documentation on configuring forwarders for details.

#

# This spec file first describes the three levels of stanzas (and any attributes unique to a particular level). 

# It then describes the optional attributes, which can be set at any  of the three levels.

#----TCP Output Global Configuration -----

# The global configurations specified here in the [tcpout] stanza can be overwritten in stanzas for specific 

# target groups, as described later. Note that the defaultGroup and indexAndForward attributes can only be set

# here, at the global level.

#

# Starting with 4.2, the [tcpout] stanza is no longer required.

[tcpout]

defaultGroup = <target_group>, <target_group>, ...

* 로그를 전달할 Group을 설정.

* Group 명은 [tcpout:<target_group>]의 <target_group>임.

* Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas.

* The forwarder sends all data to the specified groups.

* If you don't want to forward data automatically, don't set this attribute.

* Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a 

  props.conf/transforms.conf modifier.

* Starting with 4.2, this attribute is no longer required. 

indexAndForward = [true|false]

* 인덱싱(Index)과 전달(Forward)을 설정.

* false일 경우 전달(Foward)만 수행.

* Index all data locally, in addition to forwarding it.

* This is known as an "index-and-forward" configuration.

* This attribute is only available for heavy forwarders.

* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.

* Defaults to false.

#----Target Group Configuration -----

# If multiple servers are specified in a target group, the forwarder performs auto load-balancing, sending data 

# alternately to each available server in the group. For example, assuming you have three servers (server1, server2,

# server3) and autoLBFrequency=30, the forwarder sends all data to server1 for 30 seconds, then it sends all data

# to server2 for the next 30 seconds, then all data to server3 for the next 30 seconds, finally cycling back to server1. 

#

# You can have as many target groups as you want.

# If more than one target group is specified, the forwarder sends all data to each target group. 

# This is known as "cloning" the data.

[tcpout:<target_group>]

server = [<ip>|<servername>]:<port>, [<ip>|<servername>]:<port>, ...

* 전달될 서버 목록을 설정.

    * Required.

    * Takes a comma separated list of one or more systems to send data to over

      a tcp socket.

    * Typically used to specify receiving splunk systems, although it can be

      used to send data to non-splunk systems (see sendCookedData setting).

    * For each mentioned system, the following are required:

        * IP or servername where one or system is listening.

        * Port on which syslog server is listening.

masterUri = [<ip>|<servername>]:<port

* Optional 

* When configured as a cluster, this will enable the forwarder to get peer

 information from master

blockWarnThreshold = <integer>

* Optional

* Default value is 100

* Sets the output pipleline send failure count threshold after which a failure message

 will be displayed as banner on UI  

* To disable any warnings to be sent to UI on blocked output queue condition, set this

 to a large value (2 million for example)

#----Single server configuration -----

# You can define specific configurations for individual indexers on a server-by-server

# basis.  However, each server must also be part of a target group.

[tcpout-server://<ip address>:<port>]

    * Optional.  There is no requirement to have any tcpout-server stanzas.

############

#----TCPOUT ATTRIBUTES----

############

# These attributes are optional and can appear in any of the three stanza levels.

[tcpout<any of above>]

#----General Settings----

sendCookedData = [true|false]

* If true, events are cooked (have been processed by Splunk).

* If false, events are raw and untouched prior to sending.

* Set to false if you are sending to a third-party system.

* Defaults to true.

heartbeatFrequency = <integer>

* How often (in seconds) to send a heartbeat packet to the receiving server.

* Heartbeats are only sent if sendCookedData=true.

* Defaults to 30 seconds.

blockOnCloning = [true|false]

* If true, TcpOutputProcessor blocks till at least one of the cloned group gets events. This will

  not drop events when all the cloned groups are down.

* If false, TcpOutputProcessor will drop events when all the cloned groups are down and queues for

  the cloned groups are full. When at least one of the cloned groups is up and queues are not full,

  the events are not dropped.

* Defaults to true.

compressed = [true|false]

* Applies to non-SSL forwarding only. For SSL useClientSSLCompression setting is used.

* If true, forwarder sends compressed data.

* If set to true, the receiver port must also have compression turned on (in its inputs.conf file).

* Defaults to false.

negotiateNewProtocol = [true|false]

* When setting up a connection to an indexer, try to negotiate the use of the new forwarder protocol.

* If set to false, the forwarder will not query the indexer for support for the new protocol, and the connection will fall back on the traditional protocol.

* Defaults to true.

channelReapInterval = <integer>

* Controls how often, in milliseconds, channel codes are reaped, i.e. made available for re-use.

* This value sets the minimum time between reapings; in practice, consecutive reapings may be separated by greater than <channelReapInterval> milliseconds.

* Defaults to 60000 (1 minute)

channelTTL = <integer>

* Controls how long, in milliseconds, a channel may remain "inactive" before it is reaped, i.e. before its code is made available for re-use by a different channel.

* Defaults to 300000 (5 minutes)

channelReapLowater = <integer>

* If the number of active channels is above <channelReapLowater>, we reap old channels in order to make their channel codes available for re-use.

* If the number of active channels is below <channelReapLowater>, we do not reap channels, no matter how old they are.

* This value essentially determines how many active-but-old channels we keep "pinned" in memory on both sides of a splunk-to-splunk connection.

* A non-zero value helps ensure that we do not waste network resources by "thrashing" channels in the case of a forwarder sending a trickle of data.

* Defaults to 10.

#----Queue Settings----

maxQueueSize = [<integer>|<integer>[KB|MB|GB]|auto]

* This attribute sets the maximum size of the forwarder's output queue. 

* The size can be limited based on the number of entries, or on the total memory used by the items

  in the queue.

* If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates

  the maximum count of queued items.

* If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB),

  maxQueueSize indicates the maximum RAM size of all the items in the queue.

* If set to auto, chooses a value depending on whether useACK is enabled.

  * If useACK=false, uses 500KB

  * If useACK=true, uses 7MB

* If the useACK setting is enabled, the maximum size of the wait queue is set to to 3x this value.

  * Although the wait queue and the output queue sizes are both controlled by this attribute, they

    are separate.

* Limiting the queue sizes by quantity is largely historical.  However, should you choose to

  configure queues based on quantity, keep the following in mind:

  * Queued items can be events or blocks of data.

    * Non-parsing forwarders, such as universal forwarders, will send blocks, which may be

      up to 64KB.

    * Parsing forwarders, such as heavy forwarders, will send events, which will be the

      size of the events.  For some events these are as small as a few hundred bytes.  In unusual

      cases (data dependent), customers may arrange to produce events that are multiple megabytes.

* Defaults to auto

  * If useACK is enabled, effectively defaults the wait queue to 21MB

dropEventsOnQueueFull = <integer>

* If set to a positive number, wait <integer> seconds before throwing out all new events until the output queue has space.

* Setting this to -1 or 0 will cause the output queue to block when it gets full, causing further blocking up the processing chain.

* If any target group's queue is blocked, no more data will reach any other target group.

* Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down 

  (or jammed up) before queue blocking can occur.

* Defaults to -1 (do not drop events).

* DO NOT SET THIS VALUE TO A POSITIVE INTEGER IF YOU ARE MONITORING FILES!

dropClonedEventsOnQueueFull = <integer>

* If set to a positive number, do not block completely, but wait up to <integer> seconds to queue events to a group. If it

  cannot enqueue to a group for more than <integer> seconds, begin dropping events for the group. It makes sure that at least

  one group in the cloning configuration will get events. It blocks if event cannot be delivered to any of the cloned groups.

* If set to -1, the TcpOutputProcessor will make sure that each group will get all of the events.  If one of the groups is down,

  then Splunk will block everything.

* Defaults to 5.

#----Backoff Settings When Unable To Send Events to Indexer----

# The settings in this section determine forwarding behavior when there

# are repeated failures in sending events to an indexer ("sending failures").

maxFailuresPerInterval = <integer>

* Specifies the maximum number failures allowed per interval before backoff

  takes place. The interval is defined below.

* Defaults to 2.

secsInFailureInterval = <integer>

* Number of seconds in an interval. If the number of write failures exceeds maxFailuresPerInterval

  in the specified secsInFailureInterval seconds, the forwarder applies backoff. The backoff time 

  period range is 1-10 * autoLBFrequency.

* Defaults to 1.

backoffOnFailure = <positive integer>

* Number of seconds a forwarder will wait before attempting another connection attempt.

* Defaults to 30

maxConnectionsPerIndexer = <integer>

* Maximum number of allowed connections per indexer. In presence of failures, the max number of connection 

  attempt per indexer at any point in time.

* Defaults to 2.

connectionTimeout = <integer>

* Time out period if connection establishment does not finish in <integer> seconds.

* Defaults to 20 seconds.

readTimeout = <integer>

* Time out period if read from socket does not finish in <integer> seconds.

* This timeout is used to read acknowledgment when indexer acknowledgment is used (useACK=true).

* Defaults to 300 seconds.

writeTimeout = <integer>

* Time out period if write on socket does not finish in <integer> seconds.

* Defaults to 300 seconds.

dnsResolutionInterval = <integer>

* Specifies base time interval in seconds at which indexer dns names will be resolved to ip address.

  This is used to compute runtime dnsResolutionInterval as follows:

  runtime interval = dnsResolutionInterval + (number of indexers in server settings - 1)*30.

  DNS resolution interval is extended by 30 second for each additional indexer in server setting.

* Defaults to 300 seconds.

forceTimebasedAutoLB = [true|false]

* Will force existing streams to switch to newly elected indexer every AutoLB cycle.

* Defaults to false

#----Index Filter Settings.

# These attributes are only applicable under the global [tcpout] stanza. This filter does not work if it is created 

# under any other stanza.

forwardedindex.<n>.whitelist = <regex>

forwardedindex.<n>.blacklist = <regex>

* These filters determine which events get forwarded, based on the indexes they belong to.

* This is an ordered list of whitelists and blacklists, which together decide if events should be forwarded to an index.

* The order is determined by <n>. <n> must start at 0 and continue with positive integers, in sequence. There cannot be any

  gaps in the sequence. (For example, forwardedindex.0.whitelist, forwardedindex.1.blacklist, forwardedindex.2.whitelist, ...). 

* The filters can start from either whitelist or blacklist. They are tested from forwardedindex.0 to forwardedindex.<max>.

* If both forwardedindex.<n>.whitelist and forwardedindex.<n>.blacklist are present for the same value of n, then

  forwardedindex.<n>.whitelist is honored. forwardedindex.<n>.blacklist is ignored in this case.

* You should not normally need to change these filters from their default settings in $SPLUNK_HOME/system/default/outputs.conf.

* Filtered out events are not indexed if local indexing is not enabled.

forwardedindex.filter.disable = [true|false]

* If true, disables index filtering. Events for all indexes are then forwarded.

* Defaults to false.

#----Automatic Load-Balancing 

autoLB = true

* Automatic load balancing is the only way to forward data. Round-robin method is not supported anymore.

* Defaults to true.

autoLBFrequency = <seconds>

* Every autoLBFrequency seconds, a new indexer is selected randomly from the list of indexers provided in the server attribute 

  of the target group stanza.

* Defaults to 30 (seconds).

#----SSL Settings----

# To set up SSL on the forwarder, set the following attribute/value pairs.

# If you want to use SSL for authentication, add a stanza for each receiver that must be 

# certified.

sslPassword = <password>

* The password associated with the CAcert.

* The default Splunk CAcert uses the password "password".

* There is no default value.

sslCertPath = <path>

* If specified, this connection will use SSL.  

* This is the path to the client certificate.

* There is no default value.

sslRootCAPath = <path>

* The path to the root certificate authority file (optional).

* There is no default value.

sslVerifyServerCert = [true|false]

* If true, you must make sure that the server you are connecting to is a valid one (authenticated).  

* Both the common name and the alternate name of the server are then checked for a match.

* Defaults to false.

sslCommonNameToCheck = <string>

* Check the common name of the server's certificate against this name.

* If there is no match, assume that Splunk is not authenticated against this server.  

* You must specify this setting if sslVerifyServerCert is true.

sslAltNameToCheck = <string>

* Check the alternate name of the server's certificate against this name.

* If there is no match, assume that Splunk is not authenticated against this server.  

* You must specify this setting if sslVerifyServerCert is true.

useClientSSLCompression = [true|false]

* Enables compression on SSL.

* Defaults to value of useClientSSLCompression from [sslConfig] stanza in server.conf.

#----Indexer Acknowledgment ----

# Indexer acknowledgment ensures that forwarded data is reliably delivered to the receiver.

# If the receiver is an indexer, it indicates that the indexer has received the data, indexed it, and written 

# it to the file system. If the receiver is an intermediate forwarder, it indicates that the intermediate

# forwarder has successfully forwarded the data to the terminating indexer and has received acknowledgment from  

# that indexer. 

# Important: Indexer acknowledgment is a complex feature that requires careful planning. Before using it, 

# read the online topic describing it in the Distributed Deployment manual.

useACK = [true|false]

* When set to true, the forwarder will retain a copy of each sent event, until the receiving system

  sends an acknowledgement.

  * The receiver will send an acknowledgement when it has fully handled it (typically written it to

    disk in indexing)

  * In the event of receiver misbehavior (acknowledgement is not received), the data will be re-sent

    to an alternate receiver.

  * Note: the maximum memory used for the outbound data queues will increase significantly by 

    default (500KB ->  28MB) when useACK is enabled. This is intended for correctness and performance.

* When set to false, the forwarder will consider the data fully processed when it finishes writing

  it to the network socket.

* This attribute can be set at the [tcpout] or [tcpout:<target_group>] stanza levels. You cannot set

  it for individual servers at the [tcpout-server: ...] stanza level.

* Defaults to false.

############

#----Syslog output----

############

# The syslog output processor is not available for universal or light forwarders.

# The following configuration is used to send output using syslog:

[syslog]

defaultGroup = <target_group>, <target_group>, ...

[syslog:<target_group>]

#----REQUIRED SETTINGS----

# Required settings for a syslog output group:

server = [<ip>|<servername>]:<port>

* IP or servername where syslog server is running.

* Port on which server is listening. You must specify the port. Syslog, by default, uses 514.

#----OPTIONAL SETTINGS----

# Optional settings for syslog output:

type = [tcp|udp]

* Protocol used. 

* Default is udp.

priority = <priority_value> | NO_PRI

* The priority_value should specified as "<integer>" (an integer surrounded by angle brackets). For 

  example, specify  a priority of 34 like this: <34>

* The integer must be one to three digits in length.

* The value you enter will appear in the syslog header.

* Mimics the number passed via syslog interface call, documented via man syslog.

* The integer can be computed as (<facility> * 8) + <severity>. For example, if <facility> is 4 

  (security/authorization messages) and <severity> is 2 (critical conditions), the priority 

  will be 34 = (4 * 8) + 2. Set the attribute to: <34>

* The table of facility and severity (and their values) can be referenced in RFC3164, eg 

  http://www.ietf.org/rfc/rfc3164.txt section 4.1.1

* Defaults to <13>, or a facility of "user" or typically unspecified application,

  and severity of "Notice".

* If you do not wish to add priority, set 'NO_PRI' as priority value.

    * Example: priority = NO_PRI

* The table is reproduced briefly here, some of these are archaic.

  Facility:

     0 kernel messages

     1 user-level messages

     2 mail system

     3 system daemons

     4 security/authorization messages

     5 messages generated internally by syslogd

     6 line printer subsystem

     7 network news subsystem

     8 UUCP subsystem

     9 clock daemon

    10 security/authorization messages

    11 FTP daemon

    12 NTP subsystem

    13 log audit

    14 log alert

    15 clock daemon

    16 local use 0  (local0)

    17 local use 1  (local1)

    18 local use 2  (local2)

    19 local use 3  (local3)

    20 local use 4  (local4)

    21 local use 5  (local5)

    22 local use 6  (local6)

    23 local use 7  (local7)

  Severity:

    0  Emergency: system is unusable

    1  Alert: action must be taken immediately

    2  Critical: critical conditions

    3  Error: error conditions

    4  Warning: warning conditions

    5  Notice: normal but significant condition

    6  Informational: informational messages

    7  Debug: debug-level messages

syslogSourceType = <string>

* Specifies an additional rule for handling data, in addition to that provided by

  the 'syslog' source type.

* This string is used as a substring match against the sourcetype key.  For

  example, if the string is set to 'syslog', then all source types containing the

  string 'syslog' will receive this special treatment.

* To match a source type explicitly, use the pattern "sourcetype::sourcetype_name".

    * Example: syslogSourceType = sourcetype::apache_common

* Data which is 'syslog' or matches this setting is assumed to already be in 

  syslog format. 

* Data which does not match the rules has a header, potentially a timestamp,

  and a hostname added to the front of the event.  This is how Splunk causes

  arbitrary log data to match syslog expectations.

* Defaults to unset.

timestampformat = <format>

* If specified, the formatted timestamps are added to the start of events forwarded to syslog.

* As above, this logic is only applied when the data is not syslog, or the syslogSourceType.

* The format is a strftime-style timestamp formatting string. This is the same implementation used in 

  the 'eval' search command, splunk logging, and other places in splunkd.

    *  For example: %b %e %H:%M:%S

    * %b - Abbreviated month name (Jan, Feb, ...)

    * %e - Day of month

    * %H - Hour

    * %M - Minute

    * %s - Second

* For a more exhaustive list of the formatting specifiers, refer to the online documentation.

* Note that the string is not quoted.

* Defaults to unset, which means that no timestamp will be inserted into the front of events.

#---- Routing Data to Syslog Server -----

# To route data to syslog server:

# 1) Decide which events to route to which servers.

# 2) Edit the props.conf, transforms.conf, and outputs.conf files on the forwarders.

# Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing attribute as shown here:

 [<spec>]

 TRANSFORMS-routing=<unique_stanza_name>

* <spec> can be: 

  * <sourcetype>, the source type of an event 

  * host::<host>, where <host> is the host for an event 

  * source::<source>, where <source> is the source for an event 

* Use the <unique_stanza_name> when creating your entry in transforms.conf.

# Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set rules to match your props.conf stanza: 

  [<unique_stanza_name>]

  REGEX=<your_regex>

  DEST_KEY=_SYSLOG_ROUTING

  FORMAT=<unique_group_name>

* <unique_stanza_name> must match the name you created in props.conf. 

* Enter the regex rules in <your_regex> to determine which events get conditionally routed. 

* DEST_KEY should be set to _SYSLOG_ROUTING to send events via SYSLOG.

* Set FORMAT to <unique_group_name>. This should match the syslog group name you create in outputs.conf.

############

#----IndexAndForward Processor-----

############

# The IndexAndForward processor determines the default behavior for indexing data on full Splunk. It has the "index"

# property, which determines whether indexing occurs.

#

# When Splunk is not configured as a forwarder, "index" is set to "true". That is, the Splunk instance indexes data by

# default.

#

# When Splunk is configured as a forwarder, the processor turns "index" to "false". That is, the Splunk instance does not

# index data by default.

#

# The IndexAndForward processor has no effect on the universal forwarder, which can never index data.

#

# If the [tcpout] stanza configures the indexAndForward attribute, the value of that attribute overrides the default 

# value of "index". However, if you set "index" in the [indexAndForward] stanza, described below, it supersedes any 

# value set in [tcpout].

[indexAndForward]

index = [true|false]

* If set to true, data is indexed.

* If set to false, data is not indexed.

* Default depends on whether the Splunk instance is configured as a forwarder, modified by any value configured for the 

  indexAndForward attribute in [tcpout].

selectiveIndexing = [true|false]

* When index is 'true', all events are indexed. Setting selectiveIndexing to 'true' allows you to index only specific events

  that has key '_INDEX_AND_FORWARD_ROUTING' set.

* '_INDEX_AND_FORWARD_ROUTING' can be set in inputs.conf as:

  [<input_stanza>]

  _INDEX_AND_FORWARD_ROUTING = local

* Defaults to false.

#   Version 6.0 

# This file contains possible attributes and values you can use to configure inputs,

# distributed inputs such as forwarders, and file system monitoring in inputs.conf.

#

# There is an inputs.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 

# place an inputs.conf in $SPLUNK_HOME/etc/system/local/.  For examples, see inputs.conf.example.

# You must restart Splunk to enable new configurations.

#

# To learn more about configuration files (including precedence), see the documentation 

# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

#

# GLOBAL SETTINGS

# Use the [default] stanza to define any global settings.

#     * You can also define global settings outside of any stanza, at the top of the file.

#     * Each conf file should have at most one default stanza. If there are multiple default

#       stanzas, attributes are combined. In the case of multiple definitions of the same

#       attribute, the last definition in the file wins.

#     * If an attribute is defined at both the global level and in a specific stanza, the

#       value in the specific stanza takes precedence.

#*******

# GENERAL SETTINGS:

# The following attribute/value pairs are valid for all input types (except file system change monitor,

# which is described in a separate section in this file).

# You must first enter a stanza header in square brackets, specifying the input type. See further down 

# in this file for examples.   

# Then, use any of the following attribute/value pairs.

#*******

host = <string>

* 표시될 host를 설정.

* 구성에 따라 실제 로그를 받는 서버가 아닌 이벤트가 발생된 서버로 설정이 가능.

* Sets the host key/field to a static value for this stanza.

* Primarily used to control the host field, which will be used for events coming in

  via this input stanza.

* Detail: Sets the host key's initial value. The key is used during parsing/indexing, 

  in particular to set the host field. It is also the host field used at search time.

* As a convenience, the chosen string is prepended with 'host::'.

* WARNING: Do not quote the <string> value: host=foo, not host="foo".

* If set to '$decideOnStartup', will be interpreted as hostname of executing machine;

  such interpretation will occur on each splunkd startup.  This is the default.

index = <string>

* 저장될 index를 설정.

* 전달 구성 시 수신하는 서버의 index명으로 설정 (로컬 index는 사본 저장 시 필요).

* Sets the index to store events from this input.

* Primarily used to specify the index to store events coming in via this input stanza.

* Detail: Sets the index key's initial value. The key is used when selecting an

  index to store the events.

* Defaults to "main" (or whatever you have set as your default index).

source = <string>

* 저장될 source를 설정.

* Sets the source key/field for events from this input.

* NOTE: Overriding the source key is generally not recommended.  Typically, the

  input layer will provide a more accurate string to aid problem

  analysis and investigation, accurately recording the file from which the data

  was retreived.  Please consider use of source types, tagging, and search

  wildcards before overriding this value.

* Detail: Sets the source key's initial value. The key is used during

  parsing/indexing, in particular to set the source field during

  indexing.  It is also the source field used at search time.

* As a convenience, the chosen string is prepended with 'source::'.

* WARNING: Do not quote the <string> value: source=foo, not source="foo".

* Defaults to the input file path.

sourcetype = <string>

* 저장될 sourcetype을 설정.

* Sets the sourcetype key/field for events from this input.

* Primarily used to explicitly declare the source type for this data, as opposed

  to allowing it to be determined via automated methods.  This is typically

  important both for searchability and for applying the relevant configuration for this

  type of data during parsing and indexing.

* Detail: Sets the sourcetype key's initial value. The key is used during

  parsing/indexing, in particular to set the source type field during

  indexing. It is also the source type field used at search time.

* As a convenience, the chosen string is prepended with 'sourcetype::'.

* WARNING: Do not quote the <string> value: sourcetype=foo, not sourcetype="foo".

* If unset, Splunk picks a source type based on various aspects of the data.

  There is no hard-coded default.

queue = [parsingQueue|indexQueue]

* Specifies where the input processor should deposit the events it reads.

* Set queue to "parsingQueue" to apply props.conf and other parsing rules to your data. For more 

information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the 

online documentation at http://docs.splunk.com/Documentation.

* Set queue to "indexQueue" to send your data directly into the index.

* Defaults to parsingQueue.

# Pipeline Key defaulting.

* Pipeline keys in general can be defaulted in inputs stanzas.

* The list of user-available modifiable pipeline keys is described in transforms.conf.spec,

  See transforms.conf.spec for further information on these keys.

* The currently-defined keys which are available literally in inputs stanzas

  are as follows:

queue = <value>

_raw  = <value>

_meta = <value>

_time = <value>

* Inputs have special support for mapping host, source, sourcetype, and index

  to their metadata names such as host -> Metadata:Host

* Defaulting these values is not recommended, and is

  generally only useful as a workaround to other product issues.

* Defaulting these keys in most cases will override the default behavior of

  input processors; but this behavior is not guaranteed in all cases.

* Values defaulted here, as with all values provided by inputs, may be

  altered by transforms at parse-time.

# ***********

# This section contains options for routing data using inputs.conf rather than outputs.conf. 

# Note concerning routing via inputs.conf:

# This is a simplified set of routing options you can use as data is coming in. 

# For more flexible options or details on configuring required or optional settings, refer to 

# outputs.conf.spec.

_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...

* Comma-separated list of tcpout group names.

* Using this, you can selectively forward the data to specific indexer(s).

* Specify the tcpout group the forwarder should use when forwarding the data.

  The tcpout group names are defined in outputs.conf with [tcpout:<tcpout_group_name>].

* Defaults to groups specified in "defaultGroup" in [tcpout] stanza in outputs.conf.

* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be set to either "*" or

  a specific splunktcp target group.

_SYSLOG_ROUTING = <syslog_group_name>,<syslog_group_name>,<syslog_group_name>, ...

* Comma-separated list of syslog group names. 

* Using this, you can selectively forward the data to specific destinations as syslog events.

* Specify the syslog group to use when forwarding the data.

  The syslog group names are defined in outputs.conf with [syslog:<syslog_group_name>].

* Defaults to groups present in "defaultGroup" in [syslog] stanza in outputs.conf.

* The destination host must be configured in outputs.conf, using "server=[<ip>|<servername>]:<port>".

_INDEX_AND_FORWARD_ROUTING = <string>

* Only has effect if using selectiveIndexing feature in outputs.conf.

* If set for any input stanza, should cause all data coming from that input

  stanza to be labeled with this setting.

* When selectiveIndexing is in use on a forwarder:

  * data without this label will not be indexed by that forwarder.

  * data with this label will be indexed in addition to any forwarding.

* This setting does not actually cause data to be forwarded or not forwarded in

  any way, nor does it control where the data is forwarded in multiple-forward path

  cases.

* Defaults to not present.

#*******

# Valid input types follow, along with their input-specific attributes:

#*******

#*******

# MONITOR:

#*******

[monitor://<path>]

* This directs Splunk to watch all files in <path>. 

* <path> can be an entire directory or just a single file.

* You must specify the input type and then the path, so put three slashes in your path if you are starting 

at the root (to include the slash that goes before the root directory).

# Additional attributes:

host_regex = <regular expression>

* If specified, <regular expression> extracts host from the path to the file for each input file. 

    * Detail: This feature examines the source key; if source is set

      explicitly in the stanza, that string will be matched, not the original filename.

* Specifically, the first group of the regex is used as the host. 

* If the regex fails to match, the default "host =" attribute is used.

* If host_regex and host_segment are both set, host_regex will be ignored.

* Defaults to unset.

host_segment = <integer>

* If set to N, the Nth "/"-separated segment of the path is set as host. If host_segment=3, for example,

  the third segment is used.

* If the value is not an integer or is less than 1, the default "host =" attribute is used.

* Defaults to unset.

whitelist = <regular expression>

* If set, files from this input are monitored only if their path matches the specified regex.

* Takes precedence over the deprecated _whitelist attribute, which functions the same way.

blacklist = <regular expression>

* If set, files from this input are NOT monitored if their path matches the specified regex.

* Takes precedence over the deprecated _blacklist attribute, which functions the same way.

Note concerning wildcards and monitor:

* You can use wildcards to specify your input path for monitored input. Use "..." for recursive directory 

  matching and "*" for wildcard matching in a single directory segment.

* "..." recurses through directories. This means that /foo/.../bar will match foo/bar, foo/1/bar, 

  foo/1/2/bar, etc. 

* You can use multiple "..." specifications in a single input path. For example: /foo/.../bar/...

* The asterisk (*) matches anything in a single path segment; unlike "...", it does not recurse.  For example, 

  /foo/*/bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/1/2/bar. 

  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar, /foo/moor/bar, etc.

* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in the bar directory within the 

  specified path.

crcSalt = <string>

* Use this setting to force Splunk to consume files that have matching CRCs (cyclic redundancy checks). (Splunk only 

  performs CRC checks against the first few lines of a file. This behavior prevents Splunk from indexing the same 

  file twice, even though you may have renamed it -- as, for example, with rolling log files. However, because the 

  CRC is based on only the first few lines of the file, it is possible for legitimately different files to have 

  matching CRCs, particularly if they have identical headers.)

* If set, <string> is added to the CRC.

* If set to the literal string <SOURCE> (including the angle brackets), the full directory path to the source file 

  is added to the CRC. This ensures that each file being monitored has a unique CRC.   When crcSalt is invoked, 

  it is usually set to <SOURCE>.

* Be cautious about using this attribute with rolling log files; it could lead to the log file being re-indexed 

  after it has rolled. 

* Defaults to empty. 

initCrcLength = <integer>

* This setting adjusts how much of a file Splunk reads before trying to identify whether it is a file that has

  already been seen.  You may want to adjust this if you have many files with common headers (comment headers,

  long CSV headers, etc) and recurring filenames.

* CAUTION: Improper use of this setting will cause data to be reindexed.  You may wish to consult with Splunk

  Support before adjusting this value - the default is fine for most installations.

* Defaults to 256 (bytes).

* Must be in the range 256-1048576.

ignoreOlderThan = <nonnegative integer>[s|m|h|d]

* Causes the monitored input to stop checking files for updates if their modtime has passed this threshold.

  This improves the speed of file tracking operations when monitoring directory hierarchies with large numbers

  of historical files (for example, when active log files are colocated with old files that are no longer

  being written to).

  * As a result, do not select a cutoff that could ever occur for a file

    you wish to index.  Take downtime into account!  

    Suggested value: 14d , which means 2 weeks

* A file whose modtime falls outside this time window when seen for the first time will not be indexed at all.

* Default: 0, meaning no threshold.

followTail = [0|1]

* 로그 파일에 대해 최신(Tail) 로그만 수집할 수 있도록 설정.

* WARNING: Use of followTail should be considered an advanced administrative action.

* Treat this setting as an 'action'.  That is, bring splunk up with this

  setting enabled.  Wait enough time for splunk to identify the related files,

  then disable the setting and restart splunk without it.

* DO NOT leave followTail enabled in an ongoing fashion.

* Do not use for rolling log files, or files whose names or paths vary.

* Can be used to force splunk to skip past all current data for a given stanza. 

  * In more detail: this is intended to mean that if you start up splunk with a

    stanza configured this way, all data in the file at the time it is first

    encountered will not be read.  Only data arriving after that first

    encounter time will be read.

  * This can be used to "skip over" data from old log files, or old portions of

    log files, to get started on current data right away.

* If set to 1, monitoring begins at the end of the file (like tail -f).

* If set to 0, Splunk will always start at the beginning of the file. 

* Defaults to 0.

alwaysOpenFile = [0|1]

* Opens a file to check whether it has already been indexed.

* Only useful for files that do not update modtime.

* Only needed when monitoring files on Windows, mostly for IIS logs.

* This flag should only be used as a last resort, as it increases load and slows down indexing.

* Defaults to 0.

time_before_close = <integer>

* Modtime delta required before Splunk can close a file on EOF.

* Tells the system not to close files that have been updated in past <integer> seconds.

* Defaults to 3.

recursive = [true|false]

* If false, Splunk will not monitor subdirectories found within a monitored directory.

* Defaults to true.

followSymlink = [true|false]

* Tells Splunk whether or not to follow any symbolic links within a directory it is monitoring.

* If set to false, Splunk will ignore symbolic links found within a monitored directory.

* If set to true, Splunk will follow symbolic links and monitor files at the symbolic link's destination.

* Additionally, any whitelists or blacklists defined for the stanza also apply to files at the symbolic link's destination.

* Defaults to true. 

_whitelist = ...

* This setting is deprecated.  It is still honored, unless "whitelist" attribute also exists.

_blacklist = ...

* This setting is deprecated.  It is still honored, unless "blacklist" attribute also exists.

dedicatedFD = ...

* This setting has been removed.  It is no longer needed.

#****************************************

# BATCH  ("Upload a file" in Splunk Web):

#****************************************

NOTE: Batch should only be used for large archives of historic data. If you want to continuously monitor a directory 

or index small archives, use monitor (see above). Batch reads in the file and indexes it, and then deletes the file 

from the Splunk instance. 

[batch://<path>]

* One time, destructive input of files in <path>.

* For continuous, non-destructive inputs of files, use monitor instead.

# Additional attributes:

move_policy = sinkhole

* IMPORTANT: This attribute/value pair is required. You *must* include "move_policy = sinkhole" when defining batch 

  inputs.

* This loads the file destructively.  

* Do not use the batch input type for files you do not want to consume destructively.

* As long as this is set, Splunk won't keep track of indexed files. Without the "move_policy = sinkhole" setting, 

  it won't load the files destructively and will keep a track of them. 

host_regex = see MONITOR, above.

host_segment = see MONITOR, above.

crcSalt = see MONITOR, above.

# IMPORTANT: The following attribute is not used by batch:

# source = <string>

followSymlink = [true|false]

* Works similarly to monitor, but will not delete files after following a symlink out of the monitored directory.

# The following settings work identically as for [monitor::] stanzas, documented above

host_regex = <regular expression>

host_segment = <integer>

crcSalt = <string>

recursive = [true|false]

whitelist = <regular expression>

blacklist = <regular expression>

initCrcLength = <integer>

#*******

# TCP: 

#*******

[tcp://<remote server>:<port>]

* Configure Splunk to listen on a specific port. 

* If a connection is made from <remote server>, this stanza is used to configure the input.

* If <remote server> is empty, this stanza matches all connections on the specified port.

* Will generate events with source set to tcp:portnumber,  for example: tcp:514

* If sourcetype is unspecified, will generate events with set sourcetype to tcp-raw.

# Additional attributes:

connection_host = [ip|dns|none]

* "ip" sets the host to the IP address of the system sending the data. 

* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.

* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.

* Defaults to "dns".

queueSize = <integer>[KB|MB|GB]

* Maximum size of the in-memory input queue. 

* Defaults to 500KB.

persistentQueueSize = <integer>[KB|MB|GB|TB]

* Maximum size of the persistent queue file.

* Defaults to 0 (no persistent queue).

* If set to some value other than 0, persistentQueueSize must be larger than the in-memory queue size 

  (set by queueSize attribute in inputs.conf or maxSize settings in [queue] stanzas in server.conf).

* Persistent queues can help prevent loss of transient data. For information on persistent queues and how the 

  queueSize and persistentQueueSize settings interact, see the online documentation.

requireHeader = <bool>

* Require a header be present at the beginning of every stream.

* This header may be used to override indexing settings.

* Defaults to false.

listenOnIPv6 = <no | yes | only>

* Toggle whether this listening port will listen on IPv4, IPv6, or both

* If not present, the setting in the [general] stanza of server.conf will be used

acceptFrom = <network_acl> ...

* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces

* Each rule can be in the following forms:

*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")

*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")

*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")

*   4. A single '*' which matches anything

* Entries can also be prefixed with '!' to cause the rule to reject the

  connection.  Rules are applied in order, and the first one to match is

  used.  For example, "!10.1/16, *" will allow connections from everywhere

  except the 10.1.*.* network.

* Defaults to "*" (accept from anywhere)

rawTcpDoneTimeout = <seconds>

* Specifies timeout value for sending Done-key.

* If a connection over this port remains idle after receiving data for specified seconds,

  it adds a Done-key, thus declaring the last event has been completely received.

* Defaults to 10 second.

#*******

# Data distribution:

#*******

# Global settings for splunktcp. Used on the receiving side for data forwarded from a forwarder.

[splunktcp]

route = [has_key|absent_key:<key>:<queueName>;...]

* Settings for the light forwarder.

* Splunk sets these parameters automatically -- you DO NOT need to set them.

* The property route is composed of rules delimited by ';'.

* Splunk checks each incoming data payload via cooked tcp port against the route rules. 

* If a matching rule is found, Splunk sends the payload to the specified <queueName>.

* If no matching rule is found, Splunk sends the payload to the default queue

  specified by any queue= for this stanza. If no queue= key is set in

  the stanza or globally, the events will be sent to the parsingQueue. 

enableS2SHeartbeat = [true|false]

* This specifies the global keepalive setting for all splunktcp ports.

* This option is used to detect forwarders which may have become unavailable due to network, firewall, etc., problems.

* Splunk will monitor each connection for presence of heartbeat, and if the heartbeat is not seen for 

  s2sHeartbeatTimeout seconds, it will close the connection.

* Defaults to true (heartbeat monitoring enabled).

s2sHeartbeatTimeout = <seconds>

* This specifies the global timeout value for monitoring heartbeats.

* Splunk will close a forwarder connection if heartbeat is not seen for s2sHeartbeatTimeout seconds.

* Defaults to 600 seconds (10 minutes).

inputShutdownTimeout = <seconds>

* Used during shutdown to minimize data loss when forwarders are connected to a receiver. 

  During shutdown, the tcp input processor waits for the specified number of seconds and then 

  closes any remaining open connections. If, however, all connections close before the end of 

  the timeout period, shutdown proceeds immediately, without waiting for the timeout.

listenOnIPv6 = <no | yes | only>

* Toggle whether this listening port will listen on IPv4, IPv6, or both

* If not present, the setting in the [general] stanza of server.conf will be used

acceptFrom = <network_acl> ...

* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces

* Each rule can be in the following forms:

*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")

*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")

*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")

*   4. A single '*' which matches anything

* Entries can also be prefixed with '!' to cause the rule to reject the

  connection.  Rules are applied in order, and the first one to match is

  used.  For example, "!10.1/16, *" will allow connections from everywhere

  except the 10.1.*.* network.

* Defaults to "*" (accept from anywhere)

negotiateNewProtocol = [true|false]

* If set to true, allow forwarders that connect to this indexer (or specific port) to send data using the new forwarder protocol.

* If set to false, deny the use of the new forwarder protocol during connection negotation.

* Defaults to true.

concurrentChannelLimit = <unsigned integer>

* Each forwarder that connects to this indexer may use up to <concurrentChannelLimit> unique channel codes.

* In other words, each forwarder may have up to <concurrentChannelLimit> channels in flight concurrently.

* Splunk will close a forwarder connection if a forwarder attempts to exceed this value.

* This setting only applies when the new forwarder protocol is in use.

* Defaults to 300.

# Forwarder-specific settings for splunktcp. 

[splunktcp://[<remote server>]:<port>]

* This input stanza is used with Splunk instances receiving data from forwarders ("receivers"). See the topic 

  http://docs.splunk.com/Documentation/Splunk/latest/deploy/Aboutforwardingandreceivingdata for more information.

* This is the same as TCP, except the remote server is assumed to be a Splunk instance, most likely a forwarder. 

* <remote server> is optional.  If specified, will only listen for data from <remote server>.

connection_host = [ip|dns|none]

* For splunktcp, the host or connection_host will be used if the remote Splunk instance does not set a host, 

  or if the host is set to "<host>::<localhost>".

* "ip" sets the host to the IP address of the system sending the data. 

* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.

* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.

* Defaults to "ip".

compressed = [true|false]

* Specifies whether receiving compressed data.

* Applies to non-SSL receiving only. There is no compression setting required for SSL.

* If set to true, the forwarder port(s) should also have compression turned on; otherwise, the receiver will 

  reject the connection.

* Defaults to false.

enableS2SHeartbeat = [true|false]

* This specifies the keepalive setting for the splunktcp port.

* This option is used to detect forwarders which may have become unavailable due to network, firewall, etc., problems.

* Splunk will monitor the connection for presence of heartbeat, and if the heartbeat is not seen for 

  s2sHeartbeatTimeout seconds, it will close the connection.

* This overrides the default value specified at the global [splunktcp] stanza.

* Defaults to true (heartbeat monitoring enabled).

s2sHeartbeatTimeout = <seconds>

* This specifies the timeout value for monitoring heartbeats.

* Splunk will will close the forwarder connection if heartbeat is not seen for s2sHeartbeatTimeout seconds.

* This overrides the default value specified at global [splunktcp] stanza.

* Defaults to 600 seconds (10 minutes).

queueSize = <integer>[KB|MB|GB]

* Maximum size of the in-memory input queue.

* Defaults to 500KB.

negotiateNewProtocol = [true|false]

* See comments for [splunktcp].

concurrentChannelLimit = <unsigned integer>

* See comments for [splunktcp].

# SSL settings for data distribution:

[splunktcp-ssl:<port>]

* Use this stanza type if you are receiving encrypted, parsed data from a forwarder.

* Set <port> to the port on which the forwarder is sending the encrypted data.

* Forwarder settings are set in outputs.conf on the forwarder.

* Compression for SSL is enabled by default. On forwarder you can still specify compression

  using 'useClientSSLCompression' setting in outputs.conf. 'compressed' setting is used for

  non-SSL. However, if 'compressed' is still specified for SSL, ensure that 'compressed'

  setting is same as forwarder, as splunktcp protocol expects same 'compressed' setting from 

  forwarder as well.

connection_host = [ip|dns|none]

* For SplunkTCP, the host or connection_host will be used if the remote Splunk instance does not set a host, 

  or if the host is set to "<host>::<localhost>".

* "ip" sets the host to the IP address of the system sending the data. 

* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.

* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.

* Defaults to "ip".

enableS2SHeartbeat = true|false

* See comments for [splunktcp:<port>].

s2sHeartbeatTimeout = <seconds>

* See comments for [splunktcp:<port>].

listenOnIPv6 = <no | yes | only>

* Toggle whether this listening port will listen on IPv4, IPv6, or both

* If not present, the setting in the [general] stanza of server.conf will be used

acceptFrom = <network_acl> ...

* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces

* Each rule can be in the following forms:

*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")

*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")

*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")

*   4. A single '*' which matches anything

* Entries can also be prefixed with '!' to cause the rule to reject the

  connection.  Rules are applied in order, and the first one to match is

  used.  For example, "!10.1/16, *" will allow connections from everywhere

  except the 10.1.*.* network.

* Defaults to "*" (accept from anywhere)

negotiateNewProtocol = [true|false]

* See comments for [splunktcp].

concurrentChannelLimit = <unsigned integer>

* See comments for [splunktcp].

[tcp-ssl:<port>]

* Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system.

* Set <port> to the port on which the forwarder/third-party system is sending unparsed, encrypted data.

listenOnIPv6 = <no | yes | only>

* Toggle whether this listening port will listen on IPv4, IPv6, or both

* If not present, the setting in the [general] stanza of server.conf will be used

acceptFrom = <network_acl> ...

* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces

* Each rule can be in the following forms:

*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")

*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")

*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")

*   4. A single '*' which matches anything

* Entries can also be prefixed with '!' to cause the rule to reject the

  connection.  Rules are applied in order, and the first one to match is

  used.  For example, "!10.1/16, *" will allow connections from everywhere

  except the 10.1.*.* network.

* Defaults to "*" (accept from anywhere)

[SSL]

* Set the following specifications for SSL underneath this stanza name:

serverCert = <path>

* Full path to the server certificate.

password = <string>

* Server certificate password, if any.

rootCA = <string>

* Certificate authority list (root file).

requireClientCert = [true|false]

* Determines whether a client must authenticate.

* Defaults to false.

supportSSLV3Only = [true|false]

* If true, tells the inputproc to accept connections only from SSLv3 clients.

* Defaults to false.

cipherSuite = <cipher suite string>

* If set, uses the specified cipher string for the input processors.

* If not set, the default cipher string is used.

* Provided by OpenSSL. This is used to ensure that the server does not

  accept connections using weak encryption protocols.

allowSslRenegotiation = true|false

* In the SSL protocol, a client may request renegotiation of the connection

  settings from time to time.

* Setting this to false causes the server to reject all renegotiation

  attempts, breaking the connection.  This limits the amount of CPU a

  single TCP connection can use, but it can cause connectivity problems

  especially for long-lived connections.

* Defaults to true.

#*******

# UDP:

#*******

[udp://<remote server>:<port>]

* Similar to TCP, except that it listens on a UDP port.

* Only one stanza per port number is currently supported.

* Configure Splunk to listen on a specific port. 

* If <remote server> is specified, the specified port will only accept data from that server.

* If <remote server> is empty - [udp://<port>] - the port will accept data sent from any server.

* Will generate events with source set to udp:portnumber, for example: udp:514

* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber .

# Additional attributes:

connection_host = [ip|dns|none]

* "ip" sets the host to the IP address of the system sending the data. 

* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.

* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.

* Defaults to "ip".

_rcvbuf = <integer>

* Specifies the receive buffer for the UDP port (in bytes).  

* If the value is 0 or negative, it is ignored.  

* Defaults to 1,572,864.

* Note: If the default value is too large for an OS, Splunk will try to set the value to 1572864/2. If that value also fails, 

  Splunk will retry with 1572864/(2*2). It will continue to retry by halving the value until it succeeds.

no_priority_stripping = [true|false]

* Setting for receiving syslog data. 

* If this attribute is set to true, Splunk does NOT strip the <priority> syslog field from received events. 

* NOTE: Do NOT include this attribute if you want to strip <priority>.

* Default is false.

no_appending_timestamp = [true|false]

* If this attribute is set to true, Splunk does NOT append a timestamp and host to received events.

* NOTE: Do NOT include this attribute if you want to append timestamp and host to received events.

* Default is false.

queueSize = <integer>[KB|MB|GB]

* Maximum size of the in-memory input queue.

* Defaults to 500KB.

persistentQueueSize = <integer>[KB|MB|GB|TB]

* Maximum size of the persistent queue file.

* Defaults to 0 (no persistent queue).

* If set to some value other than 0, persistentQueueSize must be larger than the in-memory queue size 

  (set by queueSize attribute in inputs.conf or maxSize settings in [queue] stanzas in server.conf).

* Persistent queues can help prevent loss of transient data. For information on persistent queues and how the 

  queueSize and persistentQueueSize settings interact, see the online documentation.

listenOnIPv6 = <no | yes | only>

* Toggle whether this port will listen on IPv4, IPv6, or both

* If not present, the setting in the [general] stanza of server.conf will be used

acceptFrom = <network_acl> ...

* Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces

* Each rule can be in the following forms:

*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")

*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")

*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")

*   4. A single '*' which matches anything

* Entries can also be prefixed with '!' to cause the rule to reject the

  connection.  Rules are applied in order, and the first one to match is

  used.  For example, "!10.1/16, *" will allow connections from everywhere

  except the 10.1.*.* network.

* Defaults to "*" (accept from anywhere)

#*******

# FIFO:

#*******

[fifo://<path>]

* This directs Splunk to read from a FIFO at the specified path.

queueSize = <integer>[KB|MB|GB]

* Maximum size of the in-memory input queue.

* Defaults to 500KB.

persistentQueueSize = <integer>[KB|MB|GB|TB]

* Maximum size of the persistent queue file.

* Defaults to 0 (no persistent queue).

* If set to some value other than 0, persistentQueueSize must be larger than the in-memory queue size 

  (set by queueSize attribute in inputs.conf or maxSize settings in [queue] stanzas in server.conf).

* Persistent queues can help prevent loss of transient data. For information on persistent queues and how the 

  queueSize and persistentQueueSize settings interact, see the online documentation.

#*******

# Scripted Input:

#*******

[script://<cmd>]

* Runs <cmd> at a configured interval (see below) and indexes the output.  

* The <cmd> must reside in one of 

  *  $SPLUNK_HOME/etc/system/bin/

  *  $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/

  *   $SPLUNK_HOME/bin/scripts/

* Script path can be an absolute path, make use of an environment variable such as $SPLUNK_HOME, 

  or use the special pattern of an initial '.' as the first directory to

  indicate a location inside the current app.   Note that the '.' must be

  followed by a platform-specific directory separator.

  * For example, on UNIX:

        [script://./bin/my_script.sh]

    Or on Windows:

        [script://.\bin\my_program.exe]

    This '.' pattern is strongly recommended for app developers, and necessary

    for operation in search head pooling environments.

* Splunk on Windows ships with several Windows-only scripted inputs. Check toward the end of the inputs.conf.example 

  for examples of the stanzas for specific Windows scripted inputs that you must add to your inputs.conf file.

* <cmd> can also be a path to a file that ends with a ".path" suffix. A file with this suffix is a special type of 

  pointer file that points to a command to be executed.  Although the pointer file is bound by the same location

  restrictions mentioned above, the command referenced inside it can reside anywhere on the file system.  

  This file must contain exactly one line: the path to the command to execute, optionally followed by 

  command line arguments.  Additional empty lines and lines that begin with '#' are also permitted and will be ignored.

interval = [<number>|<cron schedule>]

* How often to execute the specified command (in seconds), or a valid cron schedule. 

* NOTE: when a cron schedule is specified, the script is not executed on start-up.

* If specified as a number, may have a fractional component; e.g., 3.14

* Defaults to 60.0 seconds.

passAuth = <username>

* User to run the script as.

* If you provide a username, Splunk generates an auth token for that user and passes it to the script via stdin.

queueSize = <integer>[KB|MB|GB]

* Maximum size of the in-memory input queue.

* Defaults to 500KB.

persistentQueueSize = <integer>[KB|MB|GB|TB]

* Maximum size of the persistent queue file.

* Defaults to 0 (no persistent queue).

* If set to some value other than 0, persistentQueueSize must be larger than the in-memory queue size 

  (set by queueSize attribute in inputs.conf or maxSize settings in [queue] stanzas in server.conf).

* Persistent queues can help prevent loss of transient data. For information on persistent queues and how the 

  queueSize and persistentQueueSize settings interact, see the online documentation.

index = <index name>

* The index to which the output will be indexed to.

* Note: this parameter will be passed as a command-line argument to <cmd> in the format: -index <index name>.

  If the script does not need the index info, it can simply ignore this argument.

* If no index is specified, the default index will be used for the script output.

start_by_shell = [true|false]

* If set to true, the specified command will be run via the OS's shell ("/bin/sh -c" on UNIX,

  "cmd.exe /c" on Windows)

* If set to false, the program will be run directly without attempting to expand shell

  metacharacters.

* Defaults to true on UNIX, false on Windows.

* Usually the default is fine, but you may want to explicitly set this to false for scripts

  that you know do not need UNIX shell metacharacter expansion.

#*******

# File system change monitor (fschange monitor)

#*******

NOTE: You cannot simultaneously watch a directory using both fschange monitor and monitor (described above).

[fschange:<path>]

* Monitors all add/update/deletes to this directory and its subdirectories.

* NOTE: <path> is the direct path.  You do not need to preface it with // like other inputs.

* Sends an event for every change.

# Additional attributes:

# NOTE: fschange does not use the same attributes as other input types (described above).  Use only the following attributes:

index = <indexname>

* The index in which to store all generated events. 

* Defaults to _audit, unless you do not set signedaudit (below) or set signedaudit = false, in which case events go 

  into the default index.

signedaudit = [true|false]

* Send cryptographically signed add/update/delete events.

* If set to true, events are *always* sent to the _audit index and will *always* have the source type "audittrail".

* If set to false, events are placed in the default index and the source type is whatever you specify (or 

 "fs_notification" by default).

* You must set signedaudit to false if you want to set the index.

* NOTE: You must also enable auditing in audit.conf.

* Defaults to false.

filters = <filter1>,<filter2>,...

* Each filter is applied left to right for each file or directory found during the monitor poll cycle. 

* See "File System Monitoring Filters" below for help defining a filter.

recurse = [true|false]

* If true, recurse directories within the directory specified in [fschange].

* Defaults to true.

followLinks = [true|false]

* If true, follow symbolic links. 

* It is recommended that you do not set this to true; file system loops can occur. 

* Defaults to false.

pollPeriod = <integer>

* Check this directory for changes every <integer> seconds. 

* Defaults to 3600 seconds (1 hour).

hashMaxSize = <integer>

* Calculate a SHA256 hash for every file that is less than or equal to <integer> bytes. 

* This hash is used as an additional method for detecting changes to the file/directory. 

* Defaults to -1 (disabled).

fullEvent = [true|false]

* Set to true to send the full event if an add or update change is detected. 

* Further qualified by the sendEventMaxSize attribute. 

* Defaults to false.

sendEventMaxSize  = <integer>

* Only send the full event if the size of the event is less than or equal to <integer> bytes. 

* This limits the size of indexed file data. 

* Defaults to -1, which is unlimited.

sourcetype = <string>

* Set the source type for events from this input.

* "sourcetype=" is automatically prepended to <string>.

* Defaults to audittrail (if signedaudit=true) or fs_notification (if signedaudit=false).

host = <string>

* Set the host for events from this input.

* Defaults to whatever host sent the event.

filesPerDelay = <integer>

* Injects a delay specified by delayInMills after processing <integer> files.

* This is used to throttle file system monitoring so it consumes less CPU.

* Defaults to 10.

delayInMills = <integer>

* The delay in milliseconds to use after processing every <integer> files, as specified in filesPerDelay.

* This is used to throttle file system monitoring so it consumes less CPU.

* Defaults to 100.

disabled = [0|1]

* Specifies whether or not the input is enabled.

* 1 to disable the input, 0 to enable it.

* Defaults to 0 (enabled).

#*******

# File system monitoring filters:

#*******

[filter:<filtertype>:<filtername>]

* Define a filter of type <filtertype> and name it <filtername>.

* <filtertype>:

  * Filter types are either 'blacklist' or 'whitelist.' 

  * A whitelist filter processes all file names that match the regex list.

  * A blacklist filter skips all file names that match the regex list.

* <filtername>

  * The filter name is used in the comma-separated list when defining a file system monitor.

regex<integer> = <regex>

* Blacklist and whitelist filters can include a set of regexes.

* The name of each regex MUST be 'regex<integer>', where <integer> starts at 1 and increments. 

* Splunk applies each regex in numeric order:

  regex1=<regex>

  regex2=<regex>

  ...

#*******

# WINDOWS INPUTS:

#*******

* Windows platform specific input processor.

# ***********

# Splunk for Windows ships with several Windows-only scripted inputs. They are defined in the default inputs.conf.  

* This is a list of the Windows scripted input stanzas:

    [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]

    [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]

    [script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]

* By default, some of the scripted inputs are enabled and others are disabled.  

* Use the "disabled=" parameter to enable/disable any of them.

* Here's a short summary of the inputs:

  * WMI: Retrieves event logs remotely and locally. It can also gather

    performance data remotely, as well as receive various system notifications.

  * RegMon: Uses a driver to track and report any changes that occur in the

    local system's Registry.

  * ADMon: Indexes existing AD objects and listens for AD changes.

###

# The following Windows input specifications are for parsing on non-Windows platforms.

###

###

# Performance Monitor

###

[perfmon://<name>]

* This section explains possible attribute/value pairs for configuring Splunk's

  Windows Performance Monitor.  

* Each perfmon:// stanza represents an individually configured performance

  monitoring input. If you configure the input through Splunk Web, then the

  value of "$NAME" will match what was specified there. While you can add

  performance monitor inputs manually, Splunk recommends that you use Splunk Web

  to configure them, because it is easy to mistype the values for

  Performance Monitor objects, counters and instances.

* Note: The perfmon stanza is for local systems ONLY. To define performance

  monitor inputs for remote machines, use wmi.conf.

object = <string>

* This is a valid Performance Monitor object as defined within Performance

  Monitor (for example, "Process," "Server," "PhysicalDisk.")

* You can specify a single valid Performance Monitor object, or use a 

  regular expression to specify multiple objects.

* This attribute is required, and the input will not run if the attribute is not

  present.

* The object name can be a regular expression (regex).

* There is no default.

counters = <semicolon-separated strings>

* This can be a single counter, or multiple valid Performance Monitor counters.

* This attribute is required, and the input will not run if the attribute is not

  present.

* '*' is equivalent to all available counters for a given Performance Monitor object.

* There is no default.

instances = <semicolon-separated strings>

* This can be a single instance, or multiple valid Performance Monitor

  instances.

* '*' is  equivalent to all available instances for a given Performance Monitor

  counter.

* If applicable instances are available for a counter and this attribute is not

  present, then the input logs data for all available instances (this is the same as

  setting 'instances = *').

* If there are no applicable instances for a counter, then this attribute

  can be safely omitted.

* There is no default.

interval = <integer>

* How often, in seconds, to poll for new data.

* This attribute is required, and the input will not run if the attribute is not

  present.

* The recommended setting depends on the Performance Monitor object,

  counter(s) and instance(s) that you define in the input, and how much 

  performance data you require.  Objects with numerous instantaneous

  or per-second counters, such as "Memory," "Processor" and

  "PhysicalDisk" should have shorter interval times specified (anywhere

  from 1-3 seconds). Less volatile counters such as "Terminal Services,"

  "Paging File" and "Print Queue" can have longer times configured.

* There is no default.

mode = <output mode>

* Specifies output mode. 

* Possible values: single, multikv

samplingInterval = <sampling interval in ms>

* Advanced setting. How often, in milliseconds, to poll for new data.

* Enables high-frequency performance sampling. The input collects performance data 

  every sampling interval. It then reports averaged data and other statistics at every interval.

* The minimum legal value is 100, and the maximum legal value must be less than what the

  'interval' attribute to.

* If not specified, high-frequency sampling does not take place.

* Defaults to not specified (disabled).

stats = <min;max;dev;count>

* Advanced setting. Reports statistics for high-frequency performance sampling. 

* Allows values: min, max, dev, count. 

* Can be specified as a semicolon separated list.

* If not specified, the input does not produce high-frequency sampling statistics.

* Defaults to not specified (disabled).

disabled = [0|1]

* Specifies whether or not the input is enabled.

* 1 to disable the input, 0 to enable it.

* Defaults to 0 (enabled).

index = <string>

* Specifies the index that this input should send the data to.

* This attribute is optional.

* If no value is present, defaults to the default index.

showZeroValue = [0|1]

* Specfies whether or not zero value event data should be collected.

* 1 captures zero value event data, 0 ignores zero value event data.

* Defaults to 0 (ignores zero value event data)

###

# Direct Access File Monitor (does not use file handles)

# For Windows systems only.

###

[MonitorNoHandle://<path>]

* This stanza directs Splunk to intercept file writes to the specific file.

* <path> must be a fully qualified path name to a specific file.

* There can only be one of these stanzas in a configuraton file. If you 

  specify more than one, Splunk only uses the first.

disabled = [0|1]

* Tells Splunk whether or not the input is enabled.

* Defaults to 0 (enabled).

index = <string>

* Tells Splunk which index to store incoming data into for this stanza.

* This field is optional.

* Defaults to the default index.

###

# Windows Event Log Monitor

###

[WinEventLog://<name>]

* This section explains possible attribute/value pairs for configuring Splunk's

  Windows event log Monitor.  

* Each WinEventLog:// stanza represents an individually configured WinEventLog

  monitoring input. If you you configure the input through Splunk Web, the

  value of "$NAME" will match what was specified there. While you can add

  event log monitor inputs manually, Splunk recommends that you use the

  Manager interface to configure Windows event log monitor inputs because it is

  easy to mistype the values for event log channels.

* Note: The WinEventLog stanza is for local systems ONLY. To define event log

  monitor inputs for remote machines, use wmi.conf.

start_from = <string>

* Specifies how Splunk should chronologically read the event log channels.

* Setting this attribute to 'oldest' tells Splunk to start reading Windows event logs

  from oldest to newest.

* Setting this attribute to 'newest' tells Splunk to start reading Windows event logs 

  in reverse, from newest to oldest.  Once the input consumes the backlog of events,

  Splunk will start picking up the newest events.

* 'newest' is not supported in combination with current_only = 1 (This

    combination does not make much sense.)

* Defaults to oldest.

current_only = [0|1]

* Specifies how Splunk should index events after it starts.

* If set to 1, the input will only acquire events that arrive after the input

  starts for the first time, like 'tail -f' on *nix systems.

  * current_only = 1 is not supported with start_from = 'newest'. (It would

    not really make sense.)

* If set to 0, the input will first get all existing events in the log and then

  continue to monitor events coming in real time.

* Defaults to 0 (false), gathering stored events first before monitoring live events.

checkpointInterval = <integer>

* Sets how frequently the Windows Event Log input should save a checkpoint.

* Checkpoints store the eventID of acquired events. This allows Splunk to continue

  monitoring at the correct event after a shutdown or outage.

* The default value is 5.

disabled = [0|1]

* Specifies whether or not the input is enabled.

* 1 to disable the input, 0 to enable it.

* The default is 0 (enabled).

evt_resolve_ad_obj = [1|0] 

* Specifies how Splunk should interact with Active Directory while indexing Windows

  Event Log events.

* A value of 1 tells Splunk to resolve Active Directory objects like

  Globally Unique IDentifier (GUID) and Security IDentifier (SID) objects to their

  canonical names for a specific Windows event log channel.

* When you set this value to 1, you can optionally specify the Domain Controller name

  and/or DNS name of the domain to bind to, which Splunk will then use to resolve the AD objects.

* A value of 0 tells Splunk not to attempt any resolution.  

* By default, this attribute is enabled (1) for Security event logs and disabled for all others.

* The default is 0 (disabled.)

evt_dc_name = <string> 

* Tells Splunk which Active Directory domain controller it should bind to in order to 

  resolve AD objects.

* Optional. This parameter can be left empty. 

* This name can be the NetBIOS name of the domain controller or the fully-

qualified DNS name of the domain controller. Either name type can, optionally,

be preceded by two backslash characters.  The following examples represent

correctly formatted domain controller names:

    * "FTW-DC-01"

    * "\\FTW-DC-01"

    * "FTW-DC-01.splunk.com"

    * "\\FTW-DC-01.splunk.com"

evt_dns_name = <string> 

* Tells Splunk the fully-qualified DNS name of the domain it should bind to in order to

  resolve AD objects.

* Optional. This parameter can be left empty.  

index = <string>

* Specifies the index that this input should send the data to.

* This attribute is optional.

* If no value is present, defaults to the default index.

whitelist = <list>

* Tells Splunk which event IDs and/or event ID ranges that incoming events must have 

  in order to be indexed.

* Optional. This parameter can be left empty.

* A comma-separated list of event ID and event ID ranges to include (example: 4,5,7,100-200).

* If no value is present, defaults to include all event IDs. 

* If you specify both the "whitelist" and "blacklist" attributes, the input ignores the

  "blacklist" attribute.

blacklist = <list>

* Tells Splunk which event IDs and/or event ID ranges that incoming events must NOT have 

  in order to be indexed.

* Optional. This parameter can be left empty.

* A comma separated list of event ID and event ID ranges to exclude (example: 4,5,7,100-200).

* If no value is present, then there is no effect.

* If you specify both the "whitelist" and "blacklist" attributes, the input ignores the

  "blacklist" attribute.

suppress_text = [0|1]

* Tells Splunk whether or not to include the description of the event text for a given 

  Event Log event.

* Optional. This parameter can be left empty.

* A value of 1 suppresses the inclusion of the event text description.

* A value of 0 includes the event text description.

* If no value is present, defaults to 0.

###

# Active Directory Monitor

###

[admon://<name>]

* This section explains possible attribute/value pairs for configuring Splunk's

  Active Directory Monitor.  

* Each admon:// stanza represents an individually configured Active Directory

  monitoring input. If you configure the input with Splunk Web, then the value 

  of "$NAME" will match what was specified there. While you can add

  Active Directory monitor inputs manually, Splunk recommends that you use the 

  Manager interface to configure Active Directory monitor inputs because it is 

  easy to mistype the values for Active Directory monitor objects.

targetDc = <string>

* Specifies a fully qualified domain name of a valid, network-accessible Active

  Directory domain controller. 

* If not specified, Splunk obtains the local computer's DC by default, and

  binds to its root Distinguished Name (DN).

startingNode = <string>

* Tells Splunk where in the Active Directory directory tree to start monitoring. 

* If not specified, Splunk attempts to start at the root of the directory

  tree.

* The user that you configure Splunk to run as at installation determines where Splunk 

  starts monitoring.

monitorSubtree = [0|1]

* Tells Splunk whether or not to monitor the subtree(s) of a given Active Directory

  tree path.

* Defaults to 1 (monitor subtrees of a given directory tree path).

disabled = [0|1]

* Tells Splunk whether or not the input is enabled.

* Defaults to 0 (enabled.)

index = <string>

* Tells Splunk which index to store incoming data into for this input.

* This field is optional.

* Defaults to the default index.

printSchema = [0|1]

* Tells Splunk whether or not to print the Active Directory schema.

* Defaults to 1 (print schema of Active Directory).

baseline = [0|1]

* Tells Splunk whether or not to query baseline objects.

* Baseline objects are objects which currently reside in Active Directory.

* Baseline objects also include previously deleted objects.

* Defaults to 1 (query baseline objects).

### 

# Windows Registry Monitor

###

[WinRegMon://<name>]

* This section explains possible attribute/value pairs for configuring Splunk's

  Windows Registry Monitor.  

* Each WinRegMon:// stanza represents an individually configured WinRegMon monitoring input.

  If you configure the inputs with Splunk Web, the value of "$NAME" will match what

  was specified there. While you can add event log monitor inputs manually, recommends

  that you use the Manager interface to configure Windows registry monitor inputs because

  it is easy to mistype the values for Registry hives and keys.

* Note: WinRegMon is for local systems ONLY.

proc = <string>

* Tells Splunk which processes this input should monitor for Registry access.

* If set, matches against the process name which performed the Registry

  access.

* Events generated by processes that do not match the regular expression get

  filtered out.

* Events generated by processes that match the regular expression pass

  through.

* There is no default.

hive = <string>

* Tells Splunk the Registry hive(s) that this input should monitor for Registry access.

* If set, matches against the Registry key which was accessed.

* Events that contain hives that do not match the regular expression get

  filtered out.

* Events that contain hives that match the regular expression pass

  through.

* There is no default.

type = <string>

* A regular expression that specifies the type(s) of Registry event(s)

  that you want Splunk to monitor.

* There is no default.

baseline = [0|1]

* Specifies whether or not Splunk should get a baseline of Registry events when it starts.

* If set to 1, the input will capture a baseline for the specified hive when the input

  starts for the first time.

* Defaults to 0 (do not baseline the specified hive first before monitoring live events).

baseline_interval = <integer>

* Specifies how often, in seconds, that the Registry Monitor input should capture a baseline

  for a specific Registry hive or key.

* Defaults to 0 (do not establish a baseline).

disabled = [0|1]

* Specifies whether or not the input is enabled.

* 1 to disable the input, 0 to enable it.

* Defaults to 0 (enabled).

index = <string>

* Specifies the index that this input should send the data to.

* This attribute is optional.

* If no value is present, defaults to the default index.

###

# Windows Host Monitoring

###

[WinHostMon://<name>]

* This section explains possible attribute/value pairs for configuring Splunk's

  Windows host monitor.  

* Each WinHostMon:// stanza represents an WinHostMon monitoring input.

  If you configure the input in SPlunk web, the value of "$NAME" will match what 

  was specified there.

* Note: WinHostMon is for local Windows systems ONLY. You can not monitor Windows host

  information remotely.

type = <semicolon-separated strings>

* An expression that specifies the type(s) of host inputs

  that you want Splunk to monitor.

interval = <integer>

* Specifies the interval, in minutes, between when the input runs to gather Windows host information. 

disabled = [0|1]

* Specifies whether or not the input is enabled.

* 1 to disable the input, 0 to enable it.

* Defaults to 0 (enabled).

index = <string>

* Specifies the index that this input should send the data to.

* This attribute is optional.

* If no value is present, defaults to the default index.

[WinPrintMon://<name>]

* This section explains possible attribute/value pairs for configuring Splunk's

  Windows print Monitor.  

* Each WinPrintMon:// stanza represents an WinPrintMon monitoring input.

  The value of "$NAME" will match what was specified in

  Splunk Web.

* Note: WinPrintMon is for local systems ONLY.

type = <semicolon-separated strings>

* An expression that specifies the type(s) of print inputs

  that you want Splunk to monitor.

baseline = [0|1]

* If set to 1, the input will baseline the current print objects when the input

  is turned on for the first time.

* Defaults to 0 (false), not baseline.

disabled = [0|1]

* Specifies whether or not the input is enabled.

* 1 to disable the input, 0 to enable it.

* Defaults to 0 (enabled).

index = <string>

* Specifies the index that this input should send the data to.

* This attribute is optional.

* If no value is present, defaults to the default index.

[WinNetMon://<name>]

* This section explains possible attribute/value pairs for configuring Splunk's

  Network Monitor.  

* Each WinNetMon:// stanza represents an individually configured network

  monitoring input.  The value of "$NAME" will match what was specified in

  Splunk Web. Splunk recommends that you use the Manager interface to configure

  Network Monitor inputs because it is easy to mistype the values for

  Network Monitor monitor objects, counters and instances.

remoteAddress = <regular expression>

* If set, matches against the remote address.

* Events with remote addresses that do not match the regular expression get

  filtered out.

* Events with remote addresses that match the regular expression pass

  through.

* Example: 192\.163\..*

* Default (missing or empty setting) includes all events

process = <regular expression>

* If set, matches against the process/application name which performed network access

* Events generated by processes that do not match the regular expression are

  filtered out.

* Events generated by processes that match the regular expression are passed

  through.

* Default (missing or empty proc setting) includes all processes/applications

user = <regular expression>

* If set, matches against the user name which performed network access

* Events generated by users that do not match the regular expression are

  filtered out.

* Events generated by users that match the regular expression are passed

  through.

* Default (missing or empty user setting) includes access by all users

addressFamily = ipv4;ipv6

* If set, matches against address family.

* Accepts semicolon separated values, e.g. ipv4;ipv6

* Default (missing or empty address family setting) includes ipv4 and ipv6 traffic

packetType = connect;accept;transport.

* If set, matches against packet type

* Accepts semicolon separated values, e.g. connect;transport

* Default (missing or empty setting) includes all types

direction = inbound;outbound

* If set, matches against direction.

* Accepts semicolon separated values, e.g. incoming;outgoing

* Default (missing or empty setting) includes all types

protocol = tcp;udp

* If set, matches against protocol ids.

* Accepts semicolon separated values

* Protocol are defined in http://www.ietf.org/rfc/rfc1700.txt

* Example of protocol ids: tcp;udp

* Default (missing or empty setting) includes all types

readInterval = <integer>

* Read network driver every readInterval milliseconds.

* Advanced option. We recommend that the default value is used unless there is a problem with input performance.

* Allows adjusting frequency of calls into kernel driver driver. Higher frequencies may affect network performance, while lower frequencies can cause event loss.

* Default value: 100 msec

* Minumum: 10 msec, maximum: 1 sec

driverBufferSize = <integer>

* Keep maximum number of network packets in network driver buffer.

* Advanced option. We recommend that the default value is used unless there is a problem with input performance.

* Controls amount of packets cached in the driver. Lower values may result in event loss. Higher values may increase the size of non-paged memory.

* Default: 32768 packets.

* Minumum: 128 packets, maximum: 32768 packets

userBufferSize = <integer>

* Maximum size in MB of user mode event buffer.

* Advanced option. We recommend that the default value is used unless there is a problem with input performance.

* Controls amount of packets cached in the the usre mode. Lower values may result in event loss. Higher values may increase the size of Splunk network monitor memory.

* Default: 20 MB.

* Minumum: 5 MB, maximum: 500 MB.

mode = single,multikv

* Specifies output mode. Output each event individually or in multikv format.

* Default: single.

multikvMaxEventCount = <integer>

* Advanced option. When multikv mode is used output at most  multikvMaxEventCount events.

* Default: 100 events

* Minumum: 10 events, maximum: 500 events

multikvMaxTimeMs = <integer>

* Advanced option. When multikv mode is used output no later than multikvMaxTimeMs milliseconds.

* Default: 1000 ms

* Minumum: 100 ms, maximum: 5000 ms

disabled = [0|1]

* Tells Splunk whether or not the input is enabled.

* Defaults to 0 (enabled.)

index = <string>

* Tells Splunk which index to store incoming data into for this stanza.

* This field is optional.

* Defaults to the default index.