Monitor files and directories with Splunk Web
If you have Splunk Enterprise, you can use Splunk Web to add inputs from files and directories.
Go to the Add New page
You add an input from the Add Data page in Splunk Web.
You can get there by two routes:
- Splunk Home
- Splunk Settings
- Click Settings in the upper right corner of Splunk Web.
- In the Data section of the Settings pop-up, click Data Inputs.
- Click Files & Directories.
- Click New to add an input.
- Click Add Data in Splunk Home.
- Click Upload to upload a file, Monitor to monitor a file, or Forward to forward a file.
Note: Forwarding a file requires additional setup. See the following topics:
- Conflgure the universal forwarder if you work with universal forwarders.
- Enable forwarding on a Splunk Enterprise instance if you work with heavy and light forwarders.
Select the input source
- To add a file or directory input, click Files & Directories.
- In the File or Directory field, specify the full path to the file or directory.
To monitor a shared network drive, enter the following:
\\<myhost>\<mypath>on Windows). Confirm that Splunk Enterprise has read access to the mounted drive, as well as to the files you want to monitor.
- Choose how you want Splunk Enterprise to monitor the file.
- Continuously Monitor. Sets up an ongoing input. Splunk Enterprise monitors the file continuously for new data.
- Index Once. Copies a file on the server into Splunk Enterprise.
- Click Next. If you specified a directory in the "File or Directory" field, Splunk Enterprise refreshes the screen to show fields for "whitelist" and "blacklist". These fields let you specify regular expressions that Splunk Enterprise then uses to match files for inclusion or exclusion. Otherwise, Splunk Enterprise proceeds to the "Set Sourcetype" page where you can preview how Splunk Enterprise proposes to index the events.
For more information on how to include and exclude data, see Include or exclude specific incoming data.
Preview your data and set its source type
When you add a new file input, Splunk Enterprise lets you set the source type of your data and preview how it will look once it has been indexed. This lets you ensure that the data has been formatted properly and make any necessary adjustments.
For information about this page, see The Set Sourcetype page.
If you skip previewing the data, the Input Settings page appears.
Note: You cannot preview directories or archived files. You also cannot preview inputs with the Log to Metrics source type.
Specify input settings
You can specify application context, default host value, and index in the Input Settings page. All parameters are optional.
- Select the appropriate Application context for this input.
- Set the Host name value.
Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
- Set the Index that Splunk Enterprise should send data to for this input. Leave the value as "default", unless you have defined multiple indexes and want to use one of those instead.
- Click Review to review all of the choices you have made.
Review your choices
After you specifying all input settings, review your selections. Splunk Web lists the options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they do not match what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit. The "Success" page appears and Splunk Enterprise begins indexing the specified file or directory.
Monitor files and directories
Monitor files and directories with the CLI
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 8.1.2