Splunk® Enterprise

Getting Data In

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Monitor files and directories with Splunk Web

If you have Splunk Enterprise, you can use Splunk Web to add inputs from files and directories.

Go to the Add New page

You add an input from the Add Data page in Splunk Web.

You can get there by two routes:

  • Splunk Home
  • Splunk Settings

Splunk Settings:

  1. Click Settings in the upper right corner of Splunk Web.
  2. In the Data section of the Settings pop-up, click Data Inputs.
  3. Click Files & Directories.
  4. Click New to add an input.

Splunk Home:

  1. Click Add Data in Splunk Home.
  2. Click Upload to upload a file, Monitor to monitor a file, or Forward to forward a file.

Note: Forwarding a file requires additional setup. See the following topics:

Select the input source

  1. To add a file or directory input, click Files & Directories.
  2. In the File or Directory field, specify the full path to the file or directory.
    To monitor a shared network drive, enter the following: <myhost>/<mypath> (or \\<myhost>\<mypath> on Windows). Confirm that Splunk Enterprise has read access to the mounted drive, as well as to the files you want to monitor.
  3. Choose how you want Splunk Enterprise to monitor the file.
    • Continuously Monitor. Sets up an ongoing input. Splunk Enterprise monitors the file continuously for new data.
    • Index Once. Copies a file on the server into Splunk Enterprise.
  4. Click Next. If you specified a directory in the "File or Directory" field, Splunk Enterprise refreshes the screen to show fields for "whitelist" and "blacklist". These fields let you specify regular expressions that Splunk Enterprise then uses to match files for inclusion or exclusion. Otherwise, Splunk Enterprise proceeds to the "Set Sourcetype" page where you can preview how Splunk Enterprise proposes to index the events.

For more information on how to whitelist and blacklist data, see Whitelist or blacklist specific incoming data.

Preview your data and set its source type

When you add a new file input, Splunk Enterprise lets you set the source type of your data and preview how it will look once it has been indexed. This lets you ensure that the data has been formatted properly and make any necessary adjustments.

For information about this page, see The Set Sourcetype page.

If you skip previewing the data, the Input Settings page appears.

Note: You cannot preview directories or archived files.

Specify input settings

You can specify application context, default host value, and index in the Input Settings page. All parameters are optional.

  1. Select the appropriate Application context for this input.
  2. Set the Host name value.
    Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
  3. Set the Index that Splunk Enterprise should send data to for this input. Leave the value as "default", unless you have defined multiple indexes and want to use one of those instead.
  4. Click Review to review all of the choices you have made.

Review your choices

After you specifying all input settings, review your selections. Splunk Web lists the options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If they do not match what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit. The "Success" page appears and Splunk Enterprise begins indexing the specified file or directory.
Last modified on 02 October, 2018
Monitor files and directories   Monitor Splunk Enterprise files and directories with the CLI

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters