Related Answers
Download topic as PDF
Monitor files and directories with the CLI
Monitor files and directories via the Splunk Enterprise Command Line Interface (CLI). To use the CLI, navigate to the $SPLUNK_HOME/bin/ directory from a command prompt or shell, and use the splunk command in that directory.
The CLI has built-in help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well. Access that help by typing splunk help <command>.
CLI commands for input configuration
The following commands are available for input configuration using the CLI:
| Command | Command syntax | Action |
|---|---|---|
| add monitor | add monitor [-source] <source> [-parameter value] ...
|
Monitor inputs from <source>.
|
| edit monitor | edit monitor [-source] <source> [-parameter value] ...
|
Edit a previously added monitor input for <source>.
|
| remove monitor | remove monitor [-source] <source>
|
Remove a previously added monitor input for <source>.
|
| list monitor | list monitor
|
List the currently configured monitor inputs. |
| add oneshot | add oneshot <source> [-parameter value] ...
|
Copy the file <source> directly into Splunk. This uploads the file once, but Splunk Enterprise does not continue to monitor it.
You cannot use the |
| spool | spool <source>
|
Copy the file <source> into Splunk Enterprise using the sinkhole directory. Similar to add oneshot, except that the file spools from the sinkhole directory, rather than being added immediately.
You cannot use the |
CLI parameters for input configuration
Change the configuration of each data input type by setting additional parameters. Parameters are set via the syntax: -parameter value.
Note: You can only set one -hostname, -hostregex or -hostsegmentnum per command.
| Parameter | Required? | Description |
|---|---|---|
<source>
|
Yes | Path to the file or directory to monitor/upload for new input.
Unlike the other parameters, the syntax for this parameter can be the value itself. It does not have to follow a parameter flag. You can use either of " |
sourcetype
|
No | Specify a sourcetype field value for events from the input source. |
index
|
No | Specify the destination index for events from the input source. |
hostname or host
|
No | Specify a host name to set as the host field value for events from the input source.
These parameters are functionally equivalent. |
hostregex or host_regex
|
No | Specify a regular expression to use to extract the host field value from the source key.
These parameters are functionally equivalent. |
hostsegmentnum or host_segment
|
No | An integer, which determines what "/" separated segment of the path to set as the host field value. If set to 3, for example, the third segment of the path is used.
These parameters are functionally equivalent. |
rename-source
|
No | Specify a value for the "source" field to be applied to data from this file. |
follow-only
|
No | Set to true or false. Default is false.
When set to true, Splunk Enterprise reads from the end of the source (like the "tail -f" Unix command). This parameter is not available for |
Example 1: Monitor files in a directory
The following example shows how to monitor files in /var/log/.
Add /var/log/ as a data input:
./splunk add monitor /var/log/
Example 2: Monitor windowsupdate.log
The following example shows how to monitor the Windows Update log file where Windows logs automatic updates, sending the data to an index called "newindex".
Add C:\Windows\windowsupdate.log as a data input:
splunk add monitor c:\Windows\windowsupdate.log -index newindex
Example 3: Monitor Internet Information Server (IIS) logging
This example shows how to monitor the default location for Windows IIS logging.
Add C:\windows\system32\LogFiles\W3SVC as a data input:
./splunk add monitor c:\windows\system32\LogFiles\W3SVC
Example 4: Upload a file
This example shows how to upload a file into Splunk. Splunk Enterprise consumes the file only once. It does not monitor it continuously.
Upload /var/log/applog (C:\Program Files\AppLog\log.txt on Windows) directly into Splunk Enterprise with the add oneshot command:
| Unix | Windows | |
|---|---|---|
./splunk add oneshot /var/log/applog |
.\splunk add oneshot C:\Program Files\AppLog\log.txt |
You can also upload a file through the sinkhole directory with the <code>spool command:
| Unix | Windows | |
|---|---|---|
./splunk spool /var/log/applog |
.\splunk spool C:\Program Files\AppLog\log.txt |
The result is the same with either command.
|
PREVIOUS Use Splunk Web |
NEXT Edit inputs.conf |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 6.4.3, 6.4.4
The "oneshot" command requires the exact file source path. It does not do recursive search, and do not support any wildarcds.