Splunk® Enterprise

Getting Data In

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Monitor files and directories in Splunk Enterprise with Splunk Web

You can use Splunk Web to add inputs from files and directories.

Forwarding a file requires additional setup. See the following topics:

Go to the Add New page

You add an input from the Add Data page in Splunk Web.

You can get there by either of these two ways.

Splunk Settings

  1. Click Settings > Data Inputs.
  2. Click Files & Directories.
  3. Click New to add an input.

Splunk home

  1. Click Add Data in Splunk home.
  2. Click Upload to upload a file, Monitor to monitor a file, or Forward to forward a file.

Select the input source

  1. To add a file or directory input, click Files & Directories in Splunk Web.
  2. In the File or Directory field, type the full path to the file or directory.
    To monitor a network drive that you have mounted on the system, enter <myhost>/<mypath> for *nix or \\<myhost>\<mypath> for Windows. Confirm that Splunk Enterprise has read access to the mounted drive, as well as to the files you want to monitor.
  3. Choose how you want Splunk Enterprise to monitor the file:
    • Choose Continuously Monitor to set up an ongoing input. Splunk Enterprise monitors the file continuously for new data.
    • Choose Index Once to copy a file on the server into Splunk Enterprise.
  4. Click Next.
    If you specified a directory in the File or Directory field, Splunk Enterprise refreshes the screen to show fields for include list and exclude list. These fields let you type regular expressions that Splunk Enterprise then uses to match files for inclusion or exclusion. Otherwise, Splunk Enterprise proceeds to the Set Sourcetype page where you can preview how Splunk Enterprise proposes to index the events.

For more information on how to include and exclude data, see Include or exclude specific incoming data.

Preview your data and set its source type

When you add a new file input, Splunk Enterprise lets you set the source type of your data and preview how the data looks once it is indexed. This lets you check that the data is formatted properly and make any necessary adjustments.

For information about the Set Source Type page, see Apply the correct source types to your data.

If you skip the data preview, the Input Settings page appears.

You cannot preview directories or archived files. You also cannot preview inputs with the Log to Metrics source type.

Specify input settings

You can provide application context, the default host value, and the index in the Input Settings page. All parameters are optional.

  1. Select the appropriate Application context for this input.
  2. Set the Host value.

    The Host value sets only the host field in the resulting events. Setting this value does not direct Splunk Enterprise to look on a specific host on your network.

  3. Set the Index that you want Splunk Enterprise to send data to for this input. Leave the value as "default", unless you have defined multiple indexes and want to use one of those instead.
  4. Click Review to review all of the choices you have made.

Review your choices

After you provide all input settings, review your selections. Splunk Web lists the options you selected, including the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If they do not match what you want, click the left-pointing bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit. A Success page appears and the Splunk platform begins indexing the specified file or directory.
Last modified on 24 May, 2021
Monitor files and directories   Monitor Splunk Enterprise files and directories with the CLI

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters