Splunk Cloud

Splunk Cloud User Manual

Download manual as PDF

Download topic as PDF

Forward data from files and directories to Splunk Cloud

This topic tells you how to configure the universal forwarder to forward the data from local files and directories. To configure forwarding, use the commands and parameters listed in the tables below. To start the universal forwarder, go to the $SPLUNK_HOME/bin/ directory and run the splunk start command. After changing settings for a forwarder, you must restart the forwarder by issuing the splunk restart command. To verify that the desired data is being forwarded to Splunk Cloud, use the Splunk Web Search app.

To configure forwarding of data in files, use the commands in this table. For details about other options for forwarding data, see the Forwarder Manual.

Command Command syntax Description
add monitor add monitor <source> [-parameter value] ... Start monitoring the specified input. The forwarder watches for changes to the specified source and forwards data to your Splunk Cloud deployment until you remove the source. For example, to continuously monitor the files in the /var/log/ directory:
splunk add monitor /var/log/
edit monitor edit monitor <source> [-parameter value] ... Edit a data input that Splunk Cloud is monitoring.

For example, to move a log file from the default location to C:\windows\system32\LogFiles\W3SVC, run the following command:

splunk edit monitor C:\windows\system32\LogFiles\W3SVC
remove monitor remove monitor <source> Stop monitoring the specified input

For example, to stop monitoring of the Windows log file that contains all automatic update activity, run the following command:

splunk remove monitor C:\Windows\windowsupdate.log
list monitor list monitor Displays a list of all configured data inputs.
add oneshot
or
spool
add oneshot <source> [-parameter value] ...

or:
spool <source> [-parameter value] ...

Use this command to forward the contents of the specified data source once.

For example, the following commands perform a one-time forwarding of the contents of the /var/log/applog directory.

splunk add oneshot /var/log/applog 

or:

splunk spool /var/log/applog

You can use the parameters in the following table with data input commands.

Parameter Required Description
<source> Yes Specify the path to the file or directory that contains the data you want to monitor or upload.

The syntax for this parameter is the value. It is not preceded with the -source parameter flag. For example, enter <source>", not "-source <source>".

sourcetype No Specify a single source type for the data <source>. The source type determines how events are formatted and is a default field that is included in all events.
hostname
or
host
No Specify a single host or host name for the data "<source>". This default field is included in all events.

Examples

Description Command
Monitor the files in the /var/log/ directory (Unix)
splunk add monitor /var/log/ 
Monitor C:\Windows\windowsupdate.log
splunk add monitor source C:\Windows\windowsupdate.log
Monitor the default location for Windows IIS logging.
splunk add monitor C:\windows\system32\LogFiles\W3SVC 
One-time upload of a file
splunk add oneshot /var/log/applog
Monitor a set of log files in a directory, specifying metadata to be used by the Splunk indexers.
splunk add monitor /tmp/foo/*.log  -index se_test -sourcetype insurgency -host vm_host01
PREVIOUS
Forward data to Splunk Cloud from MacOS
  NEXT
Overview of Splunk Cloud administration

This documentation applies to the following versions of Splunk Cloud: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.0.8, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters