Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Forward data from files and directories to Splunk Cloud Platform

This topic tells you how to configure and run the universal forwarder to forward the data from local files and directories. It also provides command examples for common scenarios.

See also

For more information about See
Getting data from files and directories using Splunk Cloud Platform The topics in the Get data from files and directories chapter in the Splunk Cloud Platform Getting Data In manual
Details about other options for forwarding data Splunk Universal Forwarder Manual

Start and restart the universal forwarder

To start the universal forwarder, go to the $SPLUNK_HOME/bin/ directory and run the splunk start command. After changing settings for a forwarder, you must restart the forwarder by issuing the splunk restart command. To verify that the desired data is being forwarded to Splunk Cloud Platform, use the Splunk Web Search app.

Configure the universal forwarder to forward data

To configure forwarding, use the commands and parameters listed in the following tables.

Commands

To configure forwarding of data in files, use the commands in this table.

Command Command syntax Description
add monitor add monitor <source> [-parameter value] ... Start monitoring the specified input. The forwarder watches for changes to the specified source and forwards data to your Splunk Cloud Platform deployment until you remove the source. For example, to continuously monitor the files in the /var/log/ directory:
splunk add monitor /var/log/
edit monitor edit monitor <source> [-parameter value] ... Edit a data input that Splunk Cloud Platform is monitoring.

For example, to move a log file from the default location to C:\windows\system32\LogFiles\W3SVC, run the following command:

splunk edit monitor C:\windows\system32\LogFiles\W3SVC
remove monitor remove monitor <source> Stop monitoring the specified input

For example, to stop monitoring of the Windows log file that contains all automatic update activity, run the following command:

splunk remove monitor C:\Windows\windowsupdate.log
list monitor list monitor Displays a list of all configured data inputs.
add oneshot
or
spool
add oneshot <source> [-parameter value] ...

or:
spool <source> [-parameter value] ...

Use this command to forward the contents of the specified data source once.

For example, the following commands perform a one-time forwarding of the contents of the /var/log/applog directory.

splunk add oneshot /var/log/applog 

or:

splunk spool /var/log/applog

Parameters

You can use the parameters in the following table with data input commands.

Parameter Required Description
<source> Yes Specify the path to the file or directory that contains the data you want to monitor or upload.

The syntax for this parameter is the value. It is not preceded with the -source parameter flag. For example, enter <source>", not "-source <source>".

sourcetype No Specify a single source type for the data <source>. The source type determines how events are formatted and is a default field that is included in all events.
hostname
or
host
No Specify a single host or host name for the data "<source>". This default field is included in all events.

Common command examples

This section provides command examples for monitoring files and logs and uploading a file.

Description Command
Monitor the files in the /var/log/ directory (Unix)
splunk add monitor /var/log/ 
Monitor C:\Windows\windowsupdate.log
splunk add monitor C:\Windows\windowsupdate.log
Monitor the default location for Windows IIS logging
splunk add monitor C:\windows\system32\LogFiles\W3SVC 
Monitor a set of log files in a directory, specifying metadata to be used by the Splunk indexers
splunk add monitor /tmp/foo/*.log  -index se_test -sourcetype insurgency -host vm_host01
One-time upload of a file
splunk add oneshot /var/log/applog
Last modified on 09 August, 2021
PREVIOUS
Get Windows Data into Splunk Cloud Platform
  NEXT
Upgrade your Forwarders

This documentation applies to the following versions of Splunk Cloud Platform: 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105, 8.2.2106, 8.2.2107 (latest FedRAMP release), 8.2.2109, 8.2.2111


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters