Use the CLI

Use the CLI

Monitor files and directories via Splunk's Command Line Interface (CLI). To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the splunk command in that directory.

If you get stuck, Splunk's CLI has built-in help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well -- type splunk help <command>.

CLI commands for input configuration

The following commands are available for input configuration via the CLI:

Command	Command syntax	Action
add monitor	add monitor <source> [-parameter value] ...	Monitor inputs from <source>.
edit monitor	edit monitor <source> [-parameter value] ...	Edit a previously added monitor input for <source>.
remove monitor	remove monitor <source>	Remove a previously added monitor input for <source>.
list monitor	list monitor	List the currently configured monitor inputs.
add oneshot	add oneshot <source> [-parameter value] ...	Copy the file <source> directly into Splunk. This uploads the file once, but Splunk does not continue to monitor it.
spool	spool <source>	Copy the file <source> into Splunk via the sinkhole directory. This command is similar to add oneshot, except that the file gets spooled from the sinkhole directory, rather than added immediately.

Change the configuration of each data input type by setting additional parameters. Parameters are set via the syntax: -parameter value.

Note: You can only set one -hostname, -hostregex or -hostsegmentnum per command.

Parameter	Required?	Description
<source>	Yes	Path to the file or directory to monitor/upload for new input. Note: Unlike the other parameters, the syntax for this parameter is just the value itself and is not preceded by a parameter flag: "<source>", not "-source <source>".
sourcetype	No	Specify a sourcetype field value for events from the input source.
index	No	Specify the destination index for events from the input source.
hostname or host	No	Specify a host name to set as the host field value for events from the input source. Note: These are functionally equivalent.
hostregex or host_regex	No	Specify a regular expression to use to extract the host field value from the source key. Note: These are functionally equivalent.
hostsegmentnum or host_segment	No	An integer, which determines what "/" separated segment of the path to set as the host field value. If set to 3, for example, the third segment of the path is used. Note: These are functionally equivalent.
rename-source	No	Specify a value for the "source" field to be applied to data from this file.
follow-only	No	Set to "true" or "false". Default is "false". When set to "true", Splunk reads from the end of the source (like the "tail -f" Unix command). Note: This parameter is not available for add oneshot.

Example 1: Monitor files in a directory

The following example shows how to monitor files in /var/log/.

Add /var/log/ as a data input:

./splunk add monitor /var/log/ 

Example 2: Monitor windowsupdate.log

The following example shows how to monitor the Windows Update log (where Windows logs automatic updates), sending the data to an index called "newindex".

Add C:\Windows\windowsupdate.log as a data input:

./splunk add monitor C:\Windows\windowsupdate.log -index newindex

Example 3: Monitor IIS logging

This example shows how to monitor the default location for Windows IIS logging.

Add C:\windows\system32\LogFiles\W3SVC as a data input:

./splunk add monitor c:\windows\system32\LogFiles\W3SVC 

Example 4: Upload a file

This example shows how to upload a file into Splunk. Unlike the previous examples, Splunk only consumes the file once; it does not continuously monitor it.

Upload /var/log/applog directly into Splunk with the add oneshot command:

./splunk add oneshot /var/log/applog

You can also upload a file via the sinkhole directory with the spool command:

./splunk spool /var/log/applog

The result is the same with either command.

• Was this topic useful?
• Post a comment