Apps must be configured to work with Splunk. We provide installation tools to automatically configure the App to work in your environment.
You also have the ability to manually configure this App. If you want to manually configure it you must know how to navigate configuration files and understand how to configure inputs, outputs, and the forwarders installed as part of the Solution. Some of the files you must configure are:
Understand "monitor" inputs
In this topic we discuss the contents of the inputs.conf file in relation to the monitor stanzas in the file. See the sample inputs.conf file in the Configuration File reference for reference code.
In the inputs.conf file, the stanzas that start with monitor tell Splunk to watch all files in the <path> you have specified (or just the <path> itself if it represents a single file). You must specify the input type and then the path (put three slashes in your path if you're starting at root). You can use wildcards for the path. For more information, read how to "Specify input paths with wildcards" in the core Splunk documentation.
The following are additional attributes used when defining monitor input stanzas:
source = <string>
Sets the source key/field for events from this input.
Note: Overriding the source key is generally not recommended. Typically, the input layer will provide a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value.
The <string> is prepended with "source::".
Defaults to the input file path.
crcSalt = <string>
Use this setting to force Splunk to consume files that have matching CRCs (cyclic redundancy checks). (Splunk only performs CRC checks against the first few lines of a file. This behavior prevents Splunk from indexing the same file twice, even though you may have renamed it -- as, for example, with rolling log files. However, because the CRC is based on only the first few lines of the file, it is possible for legitimately different files to have matching CRCs, particularly if they have identical headers.)
If set, string is added to the CRC.
If set to <SOURCE>, the full source path is added to the CRC. This ensures that each file being monitored has a unique CRC.
Be cautious about using this attribute with rolling log files; it could lead to the log file being re-indexed after it has rolled.
Note: This setting is case sensitive.
ignoreOlderThan = <time window>
Causes the monitored input to stop checking files for updates if their modtime has passed the <time window> threshold. This improves the speed of file tracking operations when monitoring directory hierarchies with large numbers of historical files (for example, when active log files are co-located with old files that are no longer being written to).
Note: A file whose modtime falls outside <time window> when monitored for the first time will not get indexed.
Value must be: <number><unit>. For example, "7d" indicates one week. Valid units are "d" (days), "m" (minutes), and "s" (seconds).
Defaults to 0 (disabled).
followTail = 0 |1
If set to 1, monitoring begins at the end of the file (like tail -f).
This only applies to files the first time they are picked up.
After that, Splunk's internal file position records keep track of the file.
Defaults to 0.
whitelist = <regular expression>
* If set, files from this path are monitored only if they match the specified regex.
blacklist = <regular expression>
If set, files from this path are NOT monitored if they match the specified regex.
If set to false, Splunk will not go into subdirectories found within a monitored directory.