Use the CLI
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Use the CLI
Monitor files and directories via Splunk's Command Line Interface (CLI). To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command from the UNIX or Windows command prompt.
If you get stuck, Splunk's CLI has built-in help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well -- type splunk help <command>.
CLI commands for input configuration
The following commands are available for input configuration via the CLI:
| Command | Command syntax | Action |
|---|---|---|
| add monitor | add monitor <source> [-parameter value] ...
| Monitor inputs from <source>.
|
| edit monitor | edit monitor <source> [-parameter value] ...
| Edit a previously added monitor input for <source>.
|
| remove monitor | remove monitor <source>
| Remove a previously added monitor input for <source>.
|
| list monitor | list monitor
| List the currently configured monitor inputs. |
| add oneshot | add oneshot <source> [-parameter value] ...
| Copy the file <source> directly into Splunk. This uploads the file once, but Splunk does not continue to monitor it. |
| spool | spool <source>
| Copy the file <source> into Splunk via the sinkhole directory. This command is similar to add oneshot, except that the file gets spooled from the sinkhole directory, rather than added immediately. |
Change the configuration of each data input type by setting additional parameters. Parameters are set via the syntax: -parameter value.
Note: You can only set one -hostname, -hostregex or -hostsegmentnum per command.
| Parameter | Required? | Description |
|---|---|---|
<source>
| Yes | Path to the file or directory to monitor/upload for new input.
Note: Unlike the other parameters, the syntax for this parameter is just the value itself and is not preceded by a parameter flag: " |
sourcetype
| No | Specify a sourcetype field value for events from the input source. |
index
| No | Specify the destination index for events from the input source. |
hostname or host
| No | Specify a host name to set as the host field value for events from the input source.
Note: If you're using |
hostregex or host_regex
| No | Specify a regular expression on the source file path to set as the host field value for events from the input source.
Note: If you're using |
hostsegmentnum or host_segment
| No | Set the number of segments of the source file path to set as the host field value for events from the input source.
Note: If you're using |
rename-source
| No | Specify a value for the "source" field to be applied to data from this file. |
active-only
| No | (T/F) True or False. Default is False.
When set to True, Splunk will read only files that are currently open for writing. Note: This parameter is not available for |
follow-only
| No | (T/F) True or False. Default is False.
When set to True, Splunk will read from the end of the source (like the "tail -f" Unix command). Note: This parameter is not available for |
Example 1 - Monitor files in a directory
The following example shows how to monitor files in /var/log/.
Add /var/log/ as a data input:
./splunk add monitor /var/log/
Example 2 - Monitor windowsupdate.log
The following example shows how to monitor the Windows Update log (where Windows logs automatic updates), sending the data to an index called "newindex".
Add C:\Windows\windowsupdate.log as a data input:
./splunk add monitor C:\Windows\windowsupdate.log -index newindex
Example 3 - Monitor IIS logging
This example shows how to monitor the default location for Windows IIS logging.
Add C:\windows\system32\LogFiles\W3SVC as a data input:
./splunk add monitor c:\windows\system32\LogFiles\W3SVC
Example 4 - Upload a file
This example shows how to upload a file into Splunk. Unlike the previous examples, Splunk only consumes the file once; it does not continuously monitor it.
Upload /var/log/applog directly into Splunk with the add oneshot command:
./splunk add oneshot /var/log/applog
You can also upload a file via the sinkhole directory with the spool command:
./splunk spool /var/log/applog
The result is the same with either command.
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 View the Article History for its revisions.
Comments
Houxiaoxiao,
Thanks for pointing out that problem. The "hostname" parameter, as well as a few others with similar issues (hostregex, hostsegmentnum) will be made available for the "add oneshot" command in a future release. In the meantime, equivalent versions that work with both monitor and oneshot are now documented in the parameter table.
I tried splunk add oneshot $source -hostname=$hostname. But it said "In handler 'oneshotinput': Argument "hostname" is not supported by this handler." . Then I found -host=$hostname works. "splunk help oneshot" even says there is no optional parameter!!!
Would you please be more careful about your documentation? Some many errors!!!!!!!!!!!! It is really frustrating for users!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The parameter to include an index is returning the error:
In handler 'monitor': Parameter index: Index 'newindex' does not exist. Please provide a valid index.