Use Splunk Web
To use Splunk Web to add inputs from files and directories:
A. Go to the Add New page
You add an input from the Add New page in Splunk Web. You can get there by two routes:
- Splunk Manager
- Splunk Home
It doesn't matter which route you use; the Add New page itself is the same either way.
Via Splunk Manager:
1. Click Manager in the upper right-hand corner of Splunk Web.
2. In the Data section of the Manager page, click Data Inputs.
3. Click Files & Directories.
4. Click the New button to add an input.
Via Splunk Home:
1. Click the Add Data link in Splunk Home.
2. Click the From files and directories link to add an input.
B. Preview your data
When you attempt to add a new directory or file input, Splunk first gives you the option of previewing how your data will look once indexed. This allows you to make sure that Splunk formats the data properly and to make any necessary adjustments to the event processing before the data gets committed to an index. If you don't want to preview your data, you can continue directly to the page where you add the new input.
If you choose to skip data preview, Splunk Web takes you directly to the Add new page where you can add your new input, as described in the next section.
C. Specify the input
1. Select a Source radio button:
- Continuously index data from a file or directory this Splunk instance can access. Sets up an ongoing input. Whenever data is added to this file or directory, Splunk will index it. Read the next section for advanced options specific to this choice.
- Upload and index a file. Uploads a file from your local machine into Splunk.
- Index a file once from this Splunk server. Copies a file on the server into Splunk via the batch directory.
2. Specify the Full path to the file or directory. (If you selected the Upload a local file radio button, the field is called File instead.)
To monitor a shared network drive, enter the following:
\\<myhost>\<mypath> on Windows). Make sure Splunk has read access to the mounted drive, as well as to the files you wish to monitor.
3. To access other settings, check More settings. A number of additional settings appear. You can usually go with the defaults for these settings. If you want to set them explicitly, here's what they're for:
a. Under the Host section, you can set the host name value. You have several choices for this setting. Learn more about setting the host value in "About hosts".
Note: Host only sets the host field in the resulting events. It does not direct Splunk to look on a specific host on your network.
b. You can set the Source type. Source type is a default field added to events. Source type is used to determine processing characteristics, such as timestamps and event boundaries. For information on overriding Splunk's automatic source typing, see "Override automatic source type assignment" in this manual.
For directories, set the source type to Automatic. If the directory contains files of different formats, do not set a value for the source type manually. By doing so, you'll force a single source type for all files in that directory.
c. You can set the Index for this input. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk has a number of utility indexes, which also appear in this dropdown box.
4. Click Save.
Advanced options for file/directory monitoring
If your selected the Monitor a file or directory radio button for your source, the More settings section also includes an Advanced options section, which allows you to configure some additional settings:
- Follow tail. If checked, monitoring begins at the end of the file (like
- Whitelist. If a path is specified, files from that path are monitored only if they match the specified regex.
- Blacklist. If a path is specified, files from that path are not monitored if they match the specified regex.
For detailed information on whitelists and blacklists, see Whitelist or blacklist specific incoming data in this manual.
Monitor files and directories
Use the CLI
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18