# Splunk Input

The Splunk Input step connects to a Splunk server, runs a Splunk query, and returns results to your transformation.

For more information about Splunk, see the [Splunk documentation](http://docs.splunk.com/Documentation).

### Prerequisites

You must have read access to a Splunk server. Contact your Splunk administrator for the host name and port.

### General

![Splunk Input](/files/ksHWn30iriQJvuhefYzj)

* **Step name**: Specify the unique name of the Splunk Input step on the canvas. You can customize the name or leave it as the default.

### Connection tab

Use this tab to configure the Splunk connection.

| Option                             | Description                                                                                             |
| ---------------------------------- | ------------------------------------------------------------------------------------------------------- |
| **Host name(s) or IP address(es)** | Network name or IP address of the Splunk instance (or instances).                                       |
| **Port**                           | Port for the Splunk (`splunkd`) server. Default is `8089` (your administrator might have changed this). |
| **User name**                      | User name required to access the Splunk server.                                                         |
| **Password**                       | Password for the user.                                                                                  |
| **Test connection**                | Tests the connection using the configured settings.                                                     |
| **Preview**                        | Previews results. Specify the preview size, then review the results in the preview window.              |

### Fields tab

![Fields tab in Splunk Input](/files/zTwOHOZQRatUO2X2kGBQ)

Use this tab to define the Splunk query and the output fields.

#### Splunk query expression

* Unlike queries in the Splunk UI, you must start the query with `search`.
* Example:

```
search * | head 100
```

Splunk search supports field selection, which can give you access to Splunk-parsed fields inside the `_raw` field. To select specific fields, add a `fields` command:

```
... | fields index source OpCode
```

#### Execute for each row

If you select **Execute for each row**, the step runs a new query for each incoming row.

You can reference incoming fields by using `?{<Field>}`. For example, to drive the result limit from an incoming field named `Size`:

```
search * | head ?{Size}
```

#### Output fields table

| Column          | Description                       |
| --------------- | --------------------------------- |
| **Name**        | Output field name in PDI.         |
| **Splunk name** | Field name as returned by Splunk. |
| **Type**        | Output data type.                 |
| **Length**      | Output field length.              |
| **Format**      | Output field format.              |

Select **Get fields** to load field metadata into the table. Removing unused fields can improve performance.

Select **Preview** to preview data.

### Raw field parsing

The step attempts to parse the `_raw` field into child fields named:

`_raw.<FieldName>`

The parser expects name/value pairs separated by newlines, like:

```
<Name1>=<Value1>
<Name2>=<Value2>
```

If your raw field data is not formatted this way, post-process the values using other steps.

### Date handling

Splunk commonly returns dates in ISO-8601 format through web services. If you need to parse these dates, you can transform the date string using **Modified Java Script Value**.

Example script:

```
var dateobj = str2date((substr(_time, 0, 23) + "GMT" + substr(_time, 23)).trim(), "yyyy-MM-dd'T'HH:mm:ss.SSSz");
```

### Metadata injection support

All fields of this step support metadata injection. You can use this step with [ETL metadata injection](/pdia-data-integration/pdi-transformation-steps-reference-overview/etl-metadata-injection.md) to pass metadata to your transformation at runtime.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pentaho.com/pdia-data-integration/pdi-transformation-steps-reference-overview/splunk-input.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.