Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Monitor Splunk Enterprise files and directories with the CLI

On Splunk Enterprise installations, you can monitor files and directories using the command line interface (CLI). To use the CLI, navigate to the $SPLUNK_HOME/bin/ directory from a command prompt or shell, and use the splunk command in that directory.

The CLI has built-in help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well. Access that help by typing splunk help <command>.

CLI commands for input configuration

The following commands are available for input configuration using the CLI:

Command Command syntax Action
add monitor add monitor [-source] <source> [-parameter value] ... Monitor inputs from <source>.
edit monitor edit monitor [-source] <source> [-parameter value] ... Edit a previously added monitor input for <source>.
remove monitor remove monitor [-source] <source> Remove a previously added monitor input for <source>.
list monitor list monitor List the currently configured monitor inputs.
add oneshot add oneshot <source> [-parameter value] ... Copy the source file directly into Splunk Enterprise. This uploads the file once, but Splunk Enterprise does not continue to monitor it.


You cannot use the oneshot command to monitor files on a remote Splunk Enterprise instance. You also cannot use the command with either recursive folders or wildcards as a source. Provide the exact source path of the file you want to monitor.

spool spool <source> Copy the source file directly into Splunk Enterprise using the sinkhole directory. Similar to the add oneshot command, except that the file comes from the sinkhole directory, rather than being added immediately.


You cannot use the spool command to monitor files on a remote Splunk Enterprise instance. You also cannot use the command with either recursive folders or wildcards as a source. Provide the exact source path of the file you want to monitor.

CLI parameters for input configuration

Change the configuration of each data input type by setting additional parameters. To set parameters, use the syntax -parameter value.

You can set only one -hostname, -hostregex, or -hostsegmentnum per command.

Parameter Required? Description
<source> Yes Provide the path to the file or directory being monitored and uploaded for new input.


This parameter can be the value itself. It does not have to follow a parameter flag. You can use either ./splunk monitor <source> or ./splunk monitor -source <source>.

sourcetype No Provide a sourcetype field value for events from the input source.
index No Provide the destination index for events from the input source.
hostname or host No Provide a host name to set as the host field value for events from the input source.


These parameters are functionally equivalent.

hostregex or host_regex No Provide a regular expression to use to extract the host field value from the source key.


These parameters are functionally equivalent.

hostsegmentnum or host_segment No An integer, which determines what "/" separated segment of the path to set as the host field value. If set to 3, for example, the third segment of the path is used.


These parameters are functionally equivalent.

rename-source No Provide a value for the source field to be applied to data from this file.
follow-only No Set to true or false. Default is false.


When set to true, Splunk Enterprise reads from the end of the source, like the tail -f Unix command.

This parameter is not available for the add oneshot command.

Example 1: Monitor files in a directory

The following example shows how to monitor files in /var/log/.

Add /var/log/ as a data input:

./splunk add monitor /var/log/ 

Example 2: Monitor windowsupdate.log

The following example shows how to monitor the Windows Update log file where Windows logs automatic updates, sending the data to an index called newindex.

Add C:\Windows\windowsupdate.log as a data input:

splunk add monitor c:\Windows\windowsupdate.log -index newindex

Example 3: Monitor Internet Information Server (IIS) logging

This example shows how to monitor the default location for Windows IIS logging.

Add C:\windows\system32\LogFiles\W3SVC as a data input:

./splunk add monitor c:\windows\system32\LogFiles\W3SVC 

Example 4: Upload a file

This example shows how to upload a file into Splunk Enterprise. Splunk Enterprise consumes the file only once. It does not monitor it continuously.

Upload /var/log/applog on Unix or C:\Program Files\AppLog\log.txt on Windows directly into Splunk Enterprise with the add oneshot command:

Unix Windows
./splunk add oneshot /var/log/applog .\splunk add oneshot C:\Program Files\AppLog\log.txt

You can also upload a file through the sinkhole directory with the spool command:

Unix Windows
./splunk spool /var/log/applog .\splunk spool C:\Program Files\AppLog\log.txt

The result is the same with either command.

Last modified on 31 March, 2021
PREVIOUS
Monitor files and directories in Splunk Enterprise with Splunk Web
  NEXT
Monitor files and directories with inputs.conf

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.5, 8.0.10, 7.2.1, 7.0.1, 8.0.4, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 8.0.6, 8.0.7, 8.0.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters