Monitor files and directories using the CLI
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Monitor files and directories using the CLI
Monitor files and directories via Splunk's Command Line Interface (CLI). To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command from the UNIX or Windows command prompt.
If you get stuck, Splunk's CLI has built-in help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well -- type splunk help <command>.
CLI commands for input configuration
The following commands are available for input configuration via the CLI:
| Command | Command syntax | Action |
|---|---|---|
| add | add monitor $SOURCE [-parameter value] ...
| Add inputs from $SOURCE.
|
| edit | edit monitor $SOURCE [-parameter value] ...
| Edit a previously added input for $SOURCE.
|
| remove | remove monitor $SOURCE
| Remove a previously added $SOURCE.
|
| list | list monitor
| List the currently configured monitor. |
| spool | spool source
| Copy a file into Splunk via the sinkhole directory. |
Change the configuration of each data input type by setting additional parameters. Parameters are set via the syntax: -parameter value.
Note: You can only set one -hostname, -hostregex or -hostsegmentnum per command.
| Parameter | Required? | Description |
|---|---|---|
source
| Required | Path to the file or directory to monitor for new input. |
sourcetype
| Optional | Specify a sourcetype field value for events from the input source. |
index
| Optional | Specify the destination index for events from the input source. |
hostname
| Optional | Specify a host name to set as the host field value for events from the input source. |
hostregex
| Optional | Specify a regular expression on the source file path to set as the host field value for events from the input source. |
hostsegmentnum
| Optional | Set the number of segments of the source file path to set as the host field value for events from the input source. |
follow-only
| Optional | (T/F) True or False. Default False. When set to True, Splunk will read from the end of the source (like the "tail -f" Unix command). |
Example 1. monitor files in a directory
The following example shows how to monitor files in /var/log/:
Add /var/log/ as a data input:
./splunk add monitor /var/log/
Example 2. monitor windowsupdate.log
The following example shows how to monitor the Windows Update log (where Windows logs automatic updates):
Add C:\Windows\windowsupdate.log as a data input:
.\splunk add monitor C:\Windows\windowsupdate.log
Example 3. monitor IIS logging
This example shows how to monitor the default location for Windows IIS logging:
Add C:\windows\system32\LogFiles\W3SVC as a data input:
.\splunk add monitor c:\windows\system32\LogFiles\W3SVC
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
Can $SOURCE be a wildcard pattern?
example: apache_access*.log