Find and index data

Find and index data

There are many ways to set up data inputs in Splunk. This section is a high-level description of these techniques. For more detailed methods, see the data inputs section.

Here's a brief intro on getting data into Splunk.

Monitor a file

When you first log in to Splunk Web, you're provided a link to begin monitoring /var/log locally. You can monitor other files and directories you're interested in. When you specify a file to monitor, Splunk processes the entire file and then watches the file and processes additions to it. When you monitor a directory, Splunk recursively searches all subdirectories looking for files resembling log files. You can explicitly include or exclude files with whitelisting and blacklisting.

Monitor files via Splunk Web

Manage your indexed files and add new files to your index from the Admin > Data Inputs: Files & Directories page.

1. To access the Admin page, click the Admin link in the upper right-hand corner.

The Admin page opens to the Server settings page.

2. From the navigation links on the left, click Data Inputs.

The Admin > Data Inputs: All page opens.

3. From the navigation links on the left or the table of input types, click Files & Directories.

The Admin > Data Inputs: FIles & Directories page opens.

4. Click New Input.

The Admin > Data Inputs: Files & Directories: New Input opens.

Monitor files via the CLI

Use the splunk add command. These commands assume you have set a Splunk environment variable. If you have not, you must navigate to $SPLUNK_HOME/bin and run the ./splunk command.

For example:

splunk add monitor /var/log/

This command monitors all files in /var/log/.

Crawl for inputs

Splunk 3.3 introduces the new crawl feature. Crawl your file system for potential logs and data to index. Read more about Using crawl and Configuring crawl.

• Was this topic useful?
• Post a comment