Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

Monitor files and directories with the CLI

Monitor files and directories via the Splunk Enterprise Command Line Interface (CLI). To use the CLI, navigate to the $SPLUNK_HOME/bin/ directory from a command prompt or shell, and use the splunk command in that directory.

The CLI has built-in help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well. Access that help by typing splunk help <command>.

CLI commands for input configuration

The following commands are available for input configuration using the CLI:

Command Command syntax Action
add monitor add monitor [-source] <source> [-parameter value] ... Monitor inputs from <source>.
edit monitor edit monitor [-source] <source> [-parameter value] ... Edit a previously added monitor input for <source>.
remove monitor remove monitor [-source] <source> Remove a previously added monitor input for <source>.
list monitor list monitor List the currently configured monitor inputs.
add oneshot add oneshot <source> [-parameter value] ... Copy the file <source> directly into Splunk. This uploads the file once, but Splunk Enterprise does not continue to monitor it.

You cannot use the oneshot command against a remote Splunk Enterprise instance. You also cannot use the command with either recursive folders or wildcards as a source. Specify the exact source path of the file you want to monitor.

spool spool <source> Copy the file <source> into Splunk Enterprise using the sinkhole directory. Similar to add oneshot, except that the file spools from the sinkhole directory, rather than being added immediately.

You cannot use the spool command against a remote Splunk Enterprise instance. You also cannot use the command with either recursive folders or wildcards as a source. Specify the exact source path of the file you want to monitor.

CLI parameters for input configuration

Change the configuration of each data input type by setting additional parameters. Parameters are set via the syntax: -parameter value.

Note: You can only set one -hostname, -hostregex or -hostsegmentnum per command.

Parameter Required? Description
<source> Yes Path to the file or directory to monitor/upload for new input.

Unlike the other parameters, the syntax for this parameter can be the value itself. It does not have to follow a parameter flag. You can use either of "./splunk monitor <source>" or "./splunk monitor -source <source>".

sourcetype No Specify a sourcetype field value for events from the input source.
index No Specify the destination index for events from the input source.
hostname or host No Specify a host name to set as the host field value for events from the input source.

These parameters are functionally equivalent.

hostregex or host_regex No Specify a regular expression to use to extract the host field value from the source key.

These parameters are functionally equivalent.

hostsegmentnum or host_segment No An integer, which determines what "/" separated segment of the path to set as the host field value. If set to 3, for example, the third segment of the path is used.

These parameters are functionally equivalent.

rename-source No Specify a value for the "source" field to be applied to data from this file.
follow-only No Set to true or false. Default is false.

When set to true, Splunk Enterprise reads from the end of the source (like the "tail -f" Unix command).

This parameter is not available for add oneshot.

Example 1: Monitor files in a directory

The following example shows how to monitor files in /var/log/.

Add /var/log/ as a data input: 

./splunk add monitor /var/log/

Example 2: Monitor windowsupdate.log

The following example shows how to monitor the Windows Update log file where Windows logs automatic updates, sending the data to an index called "newindex".

Add C:\Windows\windowsupdate.log as a data input: 

splunk add monitor c:\Windows\windowsupdate.log -index newindex

Example 3: Monitor Internet Information Server (IIS) logging

This example shows how to monitor the default location for Windows IIS logging.

Add C:\windows\system32\LogFiles\W3SVC as a data input: 

./splunk add monitor c:\windows\system32\LogFiles\W3SVC

Example 4: Upload a file

This example shows how to upload a file into Splunk. Splunk Enterprise consumes the file only once. It does not monitor it continuously.

Upload /var/log/applog (C:\Program Files\AppLog\log.txt on Windows) directly into Splunk Enterprise with the add oneshot command:

Unix Windows
./splunk add oneshot /var/log/applog .\splunk add oneshot C:\Program Files\AppLog\log.txt

You can also upload a file through the sinkhole directory with the spool command:

Unix Windows
./splunk spool /var/log/applog .\splunk spool C:\Program Files\AppLog\log.txt

The result is the same with either command.

PREVIOUS
Use Splunk Web 		  NEXT
Edit inputs.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2

Comments

The "oneshot" command requires the exact file source path. It does not do recursive search, and do not support any wildarcds.

Ykherian
October 7, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters