topic Re: How to make splunk use dynamic data in All Apps and Add-ons

How to make splunk use dynamic data

vamsi92 — Wed, 27 Jan 2016 04:33:09 GMT

Hi,
I want splunk to continuously monitor a file, say some error log file.
and i will be writing a alert condition like if some error specific word is found in the error log, and will configure an action.
For now i am adding data through settings-> Add Data.
But the file is added into splunk is static, as even now if i change something in the original file it wont be knowing.
so i want splunk to monitor the file like an application created an error log on some location xyx. Splunk should run the scheduled alert by taking the latest copy of that error log from xyz location instead of the file i added to data.
Pls Indicate how to achieve this. And i am using splunk with Service-now(splunk addon for servicenow).
Also please specify is there any way to get data from service-now
thanks in advance.

Re: How to make splunk use dynamic data

renjith_nair — Wed, 27 Jan 2016 05:24:29 GMT

If you are using web to input your file, for continuously monitoring your file, just user the Monitor option and select the file or directory you want to monitor. Splunk will automatically monitor this file and forward event whenever there is an update.

The same can be done by configuring it in inputs.conf. Add a monitor stanza in your inputs.conf with file or directory location.

See here for more information :http://docs.splunk.com/Documentation/Splunk/6.1/Data/Editinputs.conf

In general : http://docs.splunk.com/Documentation/Splunk/6.1/Data/Monitorfilesanddirectories

For service now , check http://docs.splunk.com/Documentation/AddOns/latest/ServiceNow/ConfigureServiceNowtointegratewithSplunkEnterprise

and also check the app https://splunkbase.splunk.com/app/1770/

Re: How to make splunk use dynamic data

chimell — Wed, 27 Jan 2016 12:43:32 GMT

Hi vamsi92
You can use collect command to add data to an index which contain your originate data.
For example if you indexed data in an index called downloadcount you can make a search and put result into this index in a proportion as you make search .

Look at a search cde example using Collect command

Put "download" events into an index named "downloadcount".

eventtypetag="download" | collect index=downloadcount

For more information about collect command see the following link

http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Collect