Splunk Cloud

Getting Data In

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Monitor files and directories with inputs.conf

To configure an input on your forwarder, add a stanza to inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.

You can set multiple attributes in an input stanza. If you do not specify a value for an attribute, the forwarder uses the default for that attribute, as defined in $SPLUNK_HOME/etc/system/default/inputs.conf.

For more information about configuration files, see About configuration files in the Splunk Enterprise Admin Manual.

Configuration settings

Use the following attributes in both monitor and batch input stanzas.

Attribute Description Default
host = <string> Sets the host key to a static initial value for this stanza. The input processor uses the key during parsing and indexing to set the host field and uses the field during searching. The forwarder prepends the <string> with host::. the IP address or fully-qualified domain name of the host where the data originated.
index = <string> Sets the index where events from this input will be stored. The forwarder prepends the <string> with index::.

For more information about the index field, see How indexing works in the Splunk Enterprise Managing Indexers and Clusters manual.

main or whatever you set the default index to
sourcetype = <string> Sets the sourcetype key/field for events from this input. Explicitly declares the source type for this data, as opposed to letting the forwarder determine it automatically. This is important both for searchability and for applying the relevant formatting for this type of data during parsing and indexing.

Sets the sourcetype key initial value. The forwarder uses the key during parsing and indexing to set the source type field and uses the source type field during searching. The forwarder prepends the <string> with sourcetype::.

For more information about source types, see Why source types matter.

The forwarder picks a source type based on various aspects of the data. There is no default.
queue = parsingQueue | indexQueue Specifies where the input processor should deposit the events that it reads. Set to "parsingQueue" to apply props.conf and other parsing rules to your data. Set to "indexQueue" to send your data directly into the index. parsingQueue
_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,... Specifies a comma-separated list of tcpout group names. Use this attribute to selectively forward your data to specific indexers by specifying the tcpout groups that the forwarder should use when forwarding the data.

Define the tcpout group names in outputs.conf in [tcpout:<tcpout_group_name>] stanzas.

the groups present in 'defaultGroup' in [tcpout] stanza in outputs.conf
host_regex = <regular expression> A regular expression that extracts host from the file name of each input. Specifically, the forwarder uses the first group of the regular expression as the host. the default "host =" attribute, if the regular expression fails to match
host_segment = <integer> Sets the segment of the path as the host, using <integer> to determine the segment. For example, if host_segment = 2, host becomes the second segment of the path. Path segments are separated by the '/' character. the default "host =" attribute, if the value is not an integer, or is less than 1

Monitor syntax and examples

Monitor input stanzas direct the forwarder to watch all files in the <path> (or <path> itself if it represents a single file). You must specify the input type and then the path, so put three slashes in the path if the path includes the root directory.

You can use wildcards for the path. See Specify input paths with wildcards.

<attrbute1> = <val1>
<attrbute2> = <val2>

The following are additional attributes you can use when defining monitor input stanzas:

Attribute Description Default
source = <string> Sets the source field for events from this input. Do not override unless absolutely necessary, or when using the MonitorNoHandle input and want to set the source to the name of the file you are monitoring. Consider use of source types, tagging, and search wildcards instead. The input layer usually provides a more accurate string to aid in problem analysis and investigation by accurately recording the file from which the data was retrieved.

The forwarder prepends the <string> with source::.

the input file path (except in the case of MonitorNoHandle, where it is MonitorNoHandle.)
crcSalt = <string> Forces the forwarder to consume files that have matching CRCs (cyclic redundancy checks). By default, the software only performs CRC checks against the first few lines of a file. This behavior prevents indexing of the same file twice, even though you might have renamed it, such as with rolling log files. However, because the CRC counts only the first few lines of the file, it is possible for legitimately different files to have matching CRCs, particularly if they have identical headers.)

If set, the forwarder adds string to the CRC. If set to <SOURCE>, the forwarder adds the full source path to the CRC. This ensures that each file being monitored has a unique CRC.

Use caution with this attribute for rolling log files. It can lead to the log file being re-indexed after it has rolled.

This setting is case sensitive.

ignoreOlderThan = <time_window> Causes the input to stop checking files for updates if their modification time (modtime) has passed the <time_window> threshold. This improves the speed of file tracking operations when monitoring directory hierarchies with large numbers of historical files (for example, when active log files share a directory with old files that no longer get writes).

The forwarder does not index files whose modification time falls outside <time_window> when it first attempts to monitor the file.

You must specify <number><unit>. For example, "7d" indicates one week. Valid units are "d" (days), "h" (hours), "m" (minutes), and "s" (seconds).

0 (disabled)
followTail = 0|1 If set to 1, monitoring begins at the end of the file (like *nix tail -f). This only applies to files the first time the forwarder attempts to monitor them. After that, the forwarder keeps track of the file using its internal file position records. 0
whitelist = <regular expression> If set, the forwarder only monitors files whose names match the specified regular expression. N/A
blacklist = <regular expression> If set, the forwarder does NOT monitor files whose names match the specified regular expression. N/A
alwaysOpenFile = 0 | 1 If set to 1, the forwarder opens a file to check if it has already been indexed. This is only useful for files that don't update their modification time.

Use this attribute for monitoring files on Windows, and mainly for Internet Information Server (IIS) logs.

Caution: Use of this attribute increases load and slows down indexing.

recursive = true|false If set to false, the forwarder does not look into subdirectories that it finds within a monitored directory. true
time_before_close = <integer> The modification time delta required before the forwarder can close a file on End-of-file (EOF). Tells the system not to close files that have been updated in the past <integer> seconds. 3
followSymlink = true|false If false, the forwarder ignores symbolic links that it finds within a monitored directory. true

Example 1. To load anything in /apache/foo/logs or /apache/bar/logs, etc.


Example 2. To load anything in /apache/ that ends in .log.


MonitorNoHandle syntax and examples

On Windows systems only, use the MonitorNoHandle stanza to monitor files without using Windows file handles. This lets you read special log files like the Windows DNS server log files.

You must specify a valid path to a file when you use MonitorNoHandle. You cannot specify a directory. If you specify a file that already exists, The forwarder does not index the existing data in the file. It only indexes new data that the system writes to the file.

MonitorNoHandle sets the source for files you monitor to MonitorNoHandle. If you want to specify the file name as the source, you must specify it with the source setting in the stanza for the MonitorNoHandle input for the file.

You can only configure MonitorNoHandle using inputs.conf or the CLI. you cannot configure it in Splunk Web.

source = <path>
<attrbute1> = <val1>
<attrbute2> = <val2>

Batch syntax and examples

Use batch to set up a one time, destructive input of data from a source. For continuous, non-destructive inputs, use monitor. Remember, after the batch input is indexed, the forwarder deletes the file.

move_policy = sinkhole
<attrbute1> = <val1>
<attrbute2> = <val2>

When you define batch inputs, you must include the attribute, move_policy = sinkhole. This loads the file destructively. Do not use the batch input type for files that you do not want to delete after indexing.

Example: This example batch loads all files from the directory system/flight815/, but does not recurse through any subdirectories under it:

move_policy = sinkhole

Note: To ensure that new events are indexed when you copy over an existing file with new contents, set the CHECK_METHOD = modtime attribute in props.conf for the source. See props.conf in the Splunk Enterprise Admin Manual for details. This checks the modification time of the file and re-indexes it when it changes. Be aware that the entire file will be re-indexed, which can result in duplicate events.

Last modified on 15 February, 2020
Monitor files and directories on a forwarder
Specify input paths with wildcards

This documentation applies to the following versions of Splunk Cloud: 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters