Monitor Splunk Enterprise files and directories with the CLI
On Splunk Enterprise installations, you can monitor files and directories using the command line interface (CLI). To use the CLI, navigate to the $SPLUNK_HOME/bin/
directory from a command prompt or shell, and use the splunk
command in that directory.
The CLI has built-in help. Access the main CLI help by typing splunk help
. Individual commands have their own help pages as well. Access that help by typing splunk help <command>
.
CLI commands for input configuration
The following commands are available for input configuration using the CLI:
Command | Command syntax | Action |
---|---|---|
add monitor | add monitor [-source] <source> [-parameter value] ...
|
Monitor inputs from <source> .
|
edit monitor | edit monitor [-source] <source> [-parameter value] ...
|
Edit a previously added monitor input for <source> .
|
remove monitor | remove monitor [-source] <source>
|
Remove a previously added monitor input for <source> .
|
list monitor | list monitor
|
List the currently configured monitor inputs. |
add oneshot | add oneshot <source> [-parameter value] ...
|
Copy the source file directly into Splunk Enterprise. This uploads the file once, but Splunk Enterprise does not continue to monitor it.
|
spool | spool <source>
|
Copy the source file directly into Splunk Enterprise using the sinkhole directory. Similar to the add oneshot command, except that the file comes from the sinkhole directory, rather than being added immediately.
|
CLI parameters for input configuration
Change the configuration of each data input type by setting additional parameters. To set parameters, use the syntax -parameter value
.
You can set only one -hostname
, -hostregex
, or -hostsegmentnum
per command.
Parameter | Required? | Description |
---|---|---|
<source>
|
Yes | Provide the path to the file or directory being monitored and uploaded for new input.
|
sourcetype
|
No | Provide a sourcetype field value for events from the input source.
|
index
|
No | Provide the destination index for events from the input source. |
hostname or host
|
No | Provide a host name to set as the host field value for events from the input source.
|
hostregex or host_regex
|
No | Provide a regular expression to use to extract the host field value from the source key.
|
hostsegmentnum or host_segment
|
No | An integer, which determines what "/" separated segment of the path to set as the host field value. If set to 3, for example, the third segment of the path is used.
|
rename-source
|
No | Provide a value for the source field to be applied to data from this file.
|
follow-only
|
No | Set to true or false. Default is false.
This parameter is not available for the |
Example 1: Monitor files in a directory
The following example shows how to monitor files in /var/log/
.
Add /var/log/
as a data input:
./splunk add monitor /var/log/
Example 2: Monitor windowsupdate.log
The following example shows how to monitor the Windows Update log file where Windows logs automatic updates, sending the data to an index called newindex
.
Add C:\Windows\windowsupdate.log
as a data input:
splunk add monitor c:\Windows\windowsupdate.log -index newindex
Example 3: Monitor Internet Information Server (IIS) logging
This example shows how to monitor the default location for Windows IIS logging.
Add C:\windows\system32\LogFiles\W3SVC
as a data input:
./splunk add monitor c:\windows\system32\LogFiles\W3SVC
Example 4: Upload a file
This example shows how to upload a file into Splunk Enterprise. Splunk Enterprise consumes the file only once. It does not monitor it continuously.
Upload /var/log/applog
on Unix or C:\Program Files\AppLog\log.txt
on Windows directly into Splunk Enterprise with the add oneshot
command:
Unix | Windows | |
---|---|---|
./splunk add oneshot /var/log/applog |
.\splunk add oneshot C:\Program Files\AppLog\log.txt |
You can also upload a file through the sinkhole directory with the spool
command:
Unix | Windows | |
---|---|---|
./splunk spool /var/log/applog |
.\splunk spool C:\Program Files\AppLog\log.txt |
The result is the same with either command.
Monitor files and directories | Monitor files and directories with inputs.conf |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!