Forward data from files and directories to Splunk Cloud Platform
This topic tells you how to configure and run the universal forwarder to forward the data from local files and directories. It also provides command examples for common scenarios.
See also
For more information about | See |
---|---|
Getting data from files and directories using Splunk Cloud Platform | The topics in the Get data from files and directories chapter in the Splunk Cloud Platform Getting Data In manual |
Details about other options for forwarding data | Splunk Universal Forwarder Manual |
Start and restart the universal forwarder
To start the universal forwarder, go to the $SPLUNK_HOME/bin/
directory and run the splunk start
command. After changing settings for a forwarder, you must restart the forwarder by issuing the splunk restart
command. To verify that the desired data is being forwarded to Splunk Cloud Platform, use the Splunk Web Search app.
Configure the universal forwarder to forward data
To configure forwarding, use the commands and parameters listed in the following tables.
Commands
To configure forwarding of data in files, use the commands in this table.
Command | Command syntax | Description |
---|---|---|
add monitor | add monitor <source> [-parameter value] ...
|
Start monitoring the specified input. The forwarder watches for changes to the specified source and forwards data to your Splunk Cloud Platform deployment until you remove the source. For example, to continuously monitor the files in the /var/log/ directory:
splunk add monitor /var/log/ |
edit monitor | edit monitor <source> [-parameter value] ...
|
Edit a data input that Splunk Cloud Platform is monitoring.
For example, to move a log file from the default location to splunk edit monitor C:\windows\system32\LogFiles\W3SVC |
remove monitor | remove monitor <source>
|
Stop monitoring the specified input For example, to stop monitoring of the Windows log file that contains all automatic update activity, run the following command: splunk remove monitor C:\Windows\windowsupdate.log |
list monitor | list monitor
|
Displays a list of all configured data inputs. |
add oneshot or spool
|
add oneshot <source> [-parameter value] ... or: |
Use this command to forward the contents of the specified data source once.
For example, the following commands perform a one-time forwarding of the contents of the splunk add oneshot /var/log/applog or: splunk spool /var/log/applog |
Parameters
You can use the parameters in the following table with data input commands.
Parameter | Required | Description |
---|---|---|
<source>
|
Yes | Specify the path to the file or directory that contains the data you want to monitor or upload.
The syntax for this parameter is the value. It is not preceded with the |
sourcetype
|
No | Specify a single source type for the data <source>. The source type determines how events are formatted and is a default field that is included in all events. |
hostname or host
|
No | Specify a single host or host name for the data "<source>". This default field is included in all events. |
Common command examples
This section provides command examples for monitoring files and logs and uploading a file.
Description | Command |
---|---|
Monitor the files in the /var/log/ directory (Unix)
|
splunk add monitor /var/log/ |
Monitor C:\Windows\windowsupdate.log
|
splunk add monitor C:\Windows\windowsupdate.log |
Monitor the default location for Windows IIS logging | splunk add monitor C:\windows\system32\LogFiles\W3SVC |
Monitor a set of log files in a directory, specifying metadata to be used by the Splunk indexers | splunk add monitor /tmp/foo/*.log -index se_test -sourcetype insurgency -host vm_host01 |
One-time upload of a file | splunk add oneshot /var/log/applog |
Get Windows Data into Splunk Cloud Platform | Upgrade your Forwarders |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!