Add Data

Now that you have an app, let's add some data. We'll use sample data from the sample app "sample_app", which is included with Splunk Enterprise.

  1. Click the Splunk logo in the upper left corner of Splunk Web to return to the home page.
  2. Click Add Data.
  3. Click Upload files from my computer.
  4. Click Select.
  5. Navigate to $SPLUNK_HOME/etc/apps/sample_app/logs, select maillog, then click Open.
  6. Click Next.
  7. For Source type, click Email, then select sendmail_syslog.
  8. Click Next.
  9. For Index, click Create a new index.
  10. Creating an index is typically a task for administrators, who determine where to store data. For this tutorial, you will create an index for your data, which you can remove later if you want. For best practices, see App Design Patterns - Creating Indexes on Splunk Blogs.

  11. Enter an Index Name, and leave Search and Reporting selected for App.
  12. You should not include index definitions with your app or build your searches to rely on the existence of a specific index. The Search and Reporting app is the default location for index definitions. If you create an index from the command line without specifying a location, the index is created under $SPLUNK_HOME/etc/apps/search/local. For more about making your app index-independent, see Use macros to avoid index dependency.

    Most of the other options on the New Index dialog box are used for determining where to store data and how much to store. For details, see Indexes, indexers, and indexer clusters in the Managing Indexers and Clusters of Indexers manual.

  13. Click Save to create your index.
  14. Click Review, then click Submit to upload your data to the new index.

You can also create indexes from the command line as follows:

  1. Open a command prompt and navigate to $SPLUNK_HOME/bin.
  2. Enter the following at the command prompt, where your_index_name is the name of your index:

    On Mac, enter:

    ./splunk add index your_index_name

    On Windows, enter:

    splunk add index your_index_name
  3. Enter your Splunk username and password when prompted.
  4. Unless you specify a different location, the index is created in $SPLUNK_HOME/etc/apps/search/local.

  5. To remove an index, enter the following at the command prompt

    On Mac, enter:

    ./splunk remove index your_index_name

    On Windows, enter:

    splunk remove index your_index_name


Now you've added some data to Splunk Enterprise that your app can access. Let's review the changes made to your app's structure.

Two files in the Search and Reporting app have been updated: $SPLUNK_HOME/etc/apps/search/local/indexes.conf and $SPLUNK_HOME/etc/apps/search/metadata/local.meta. The local.meta file now contains a stanza at the end that provides additional information about the new index, which is called "hello_index" in the following diagram:

The indexes.conf file now contains a stanza at the end that defines the new index, which is called "hello_index" below:

For more about these files, see default.meta.conf and indexes.conf in the Admin Manual.

Because these configurations are stored outside of your app, you don't need to remove them before you package your app. The data we uploaded is stored in this index. When you're done with this tutorial, you can delete the index to remove the sample data from your Splunk instance. You can also restrict searches to this specific index using the "index=hello_world" search command to speed up searches. However, your app won't work if this index isn't present. Carefully consider the tradeoffs when restricting your app to a specific index.

Next step

Report on data