Splunk® Light

Getting Started Manual

Download manual as PDF

Download topic as PDF

Monitor files and directories using Splunk Light

Use Monitor to get data in when the file or directory updates and you want to continue to index the data as it updates. You can also monitor mounted or shared directories, including network file systems. If the specified directory contains subdirectories, the monitor function recursively examines them for new files.

For Windows data inputs, you can use monitor to add data from Windows event logs, Windows registry, Windows performance monitoring, and Active Directory logs.

Select the data source

1. In the Add Data view, click Monitor.

2. Select Files & Directories to view the configuration options.

3. Next to File or Directory, type in or Browse for the directory path.

4. Choose how to monitor the data input:

  • Continuously monitor configures an ongoing data input. This means that Splunk Light monitors the file or directory for updates and indexes the updates.
  • Index once copies the data into the Splunk Light index.

5. (Optional) For directory inputs, you can specify a whitelist and blacklist to indicate files you want to include and exclude when indexing the data. Use regular expressions to match these files.

6. Click Next to continue.

Data preview

For file inputs, after you define the source, you have an additional Set source type step. This step lets you preview the data before it is indexed, customize the source type, and adjust the event breaks, timestamp, and other settings.

For directory inputs, you do not have data preview. You can set the source type in Input Settings.

Specify input settings

1. Next to Source Type, click Automatic for Splunk Light to assign the source type, click Select to choose from a list of predefined source types, or click Manual to type in a custom source type.

2. (Optional) Override the automatic Host field value assignment with a custom Constant value, Regular expression on path, or Segment in path.

3. (Optional) Specify a different Index to save the data.

You can Create a new index and refresh the list of indexes. By default all data saves to the default main index.

4. Click Review to continue.

Review and Save

1. Review the summary of your data input.

2. (Optional) Go back, to make changes.

3. Click Submit to complete the add data process.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:SplunkLight:GettingStarted:Monitorfilesanddirectories:6.4.0&oldid=1026025"
PREVIOUS
Upload a file to Splunk Light 		  NEXT
Monitor network ports using Splunk Light

This documentation applies to the following versions of Splunk® Light: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters