topic Re: newbie splunk in Feedback

newbie splunk

pnikhade — Wed, 20 Aug 2025 06:08:13 GMT

Hi Team,

I have installed Splunk forwarder on an EC2 instance which has httpd running over it. Now, the problem here is that the httpd folder, is not visible over Splunk UI. Based on my understanding, when I go to Data summary -> sources the folder wont show.

Can you please help me here so as to why that folder not available ?

Thanks,

Piyush

Re: newbie splunk

PrewinThomas — Wed, 20 Aug 2025 07:24:25 GMT

@pnikhade

Splunk UF doesn’t automatically monitor folders. Did you add/configure any input(inputs.conf) for this?
Also does this folder have any readable files?

#https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.3/get-data-from-files-and-directories/monitor-files-and-directories-with-inputs.conf

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: newbie splunk

livehybrid — Wed, 20 Aug 2025 09:59:53 GMT

Hi @pnikhade

The Data summary -> sources shows sources which Splunk is receiving/monitoring and does not automatically log your httpd logs unless you have already specified it.

You need to:

1. Add a monitoring input on the forwarder that watches that folder.
2. Ensure the forwarder can read the files (permissions, ownership).
3. Verify that the forwarder actually forwards those events to your indexer and that the index is receiving data.

There are a number of ways to create the input, such as using conf files (See example below):

$SPLUNK_HOME/etc/system/local/inputs.conf (or the appropriate app workspace) on the forwarder:

[monitor:///var/log/httpd] disabled = false # Update index as required index = main sourcetype = apache:access

Replace `/var/log/httpd` with your actual Apache log path (e.g., `/var/www/html/httpd` if that is what you want).

If you only want to monitor your Apache logs, use the standard Apache sourcetype or create a custom one.

After editing, restart the forwarder: $SPLUNK_HOME/bin/splunk restart

Check file permissions

The Splunk user that runs the forwarder (often `splunk` or `splunkfwd`) must have read access to the logs:

sudo -u splunk ls -l /var/log/httpd

If it reports “Permission denied,” change ownership or adjust ACLs accordingly.

Verify the data actually arrives, On the forwarder, run $SPLUNK_HOME/bin/splunk list btool inputs --debug
to verify the stanza is active.

Check the forwarder’s $SPLUNK_HOME/var/log/splunk/splunkd.log for errors when reading the folder.

Once the forwarder is correctly monitoring the folder, you will see events populated in the selected index, and the “Data   Summary  -> Sources” view will show the logs from that folder.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: newbie splunk

pnikhade — Fri, 22 Aug 2025 07:01:11 GMT

Okay understood, but what about the below command, will it not add any input for the forwarder to monitor ?

./splunk add monitor /var/log/httpd/

Kindly let me know thanks.

Re: newbie splunk

PrewinThomas — Fri, 22 Aug 2025 07:08:40 GMT

@pnikhade

Yes. Splunk will start monitoring that directory, but unless you explicitly specify the index and sourcetype, it will default to the main index and try to auto-detect the sourcetype, which may not be ideal for structured logs like Apache access logs.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: newbie splunk

livehybrid — Fri, 22 Aug 2025 09:03:28 GMT

Thats right @pnikhade but you should also add the intended index and sourcetype using something like this:

./splunk add monitor /var/log/httpd/ -index yourIndexName -sourcetype apache:access

Adjust accordingly of course!

This assumes you are not managing the server using a Deployment Server.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing