Monitor files and directories in Splunk Enterprise with Splunk Web
You can use Splunk Web to add inputs from files and directories.
Forwarding a file requires additional setup. See the following topics:
- If you work with universal forwarders, see Configure the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.
- If you work with heavy forwarders, see Enable forwarding on a Splunk Enterprise instance in the Forwarding Data manual.
Go to the Add New page
You add an input from the Add Data page in Splunk Web.
You can get there by either of these two ways.
- Click Settings > Data Inputs.
- Click Files & Directories.
- Click New to add an input.
- Click Add Data in Splunk home.
- Click Upload to upload a file, Monitor to monitor a file, or Forward to forward a file.
Select the input source
- To add a file or directory input, click Files & Directories in Splunk Web.
- In the File or Directory field, type the full path to the file or directory.
To monitor a network drive that you have mounted on the system, enter
<myhost>/<mypath>for *nix or
\\<myhost>\<mypath>for Windows. Confirm that Splunk Enterprise has read access to the mounted drive, as well as to the files you want to monitor.
- Choose how you want Splunk Enterprise to monitor the file:
- Choose Continuously Monitor to set up an ongoing input. Splunk Enterprise monitors the file continuously for new data.
- Choose Index Once to copy a file on the server into Splunk Enterprise.
- Click Next.
If you specified a directory in the File or Directory field, Splunk Enterprise refreshes the screen to show fields for include list and exclude list. These fields let you type regular expressions that Splunk Enterprise then uses to match files for inclusion or exclusion. Otherwise, Splunk Enterprise proceeds to the Set Sourcetype page where you can preview how Splunk Enterprise proposes to index the events.
For more information on how to include and exclude data, see Include or exclude specific incoming data.
Preview your data and set its source type
When you add a new file input, Splunk Enterprise lets you set the source type of your data and preview how the data looks once it is indexed. This lets you check that the data is formatted properly and make any necessary adjustments.
For information about the Set Source Type page, see Apply the correct source types to your data.
If you skip the data preview, the Input Settings page appears.
You cannot preview directories or archived files. You also cannot preview inputs with the
Log to Metrics source type.
Specify input settings
You can provide application context, the default host value, and the index in the Input Settings page. All parameters are optional.
- Select the appropriate Application context for this input.
- Set the Host value.
The Host value sets only the host field in the resulting events. Setting this value does not direct Splunk Enterprise to look on a specific host on your network.
- Set the Index that you want Splunk Enterprise to send data to for this input. Leave the value as "default", unless you have defined multiple indexes and want to use one of those instead.
- Click Review to review all of the choices you have made.
Review your choices
After you provide all input settings, review your selections. Splunk Web lists the options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they do not match what you want, click the left-pointing bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit. A Success page appears and the Splunk platform begins indexing the specified file or directory.
Monitor files and directories
Monitor Splunk Enterprise files and directories with the CLI
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0