https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-the-log-files-dynamically-from-universal-forwarder-to/m-p/21853#M6782 <P>Hi, <BR /> As I told you earlier, I used the command </P> <P>./splunk add monitor directory-path -index index_name</P> <P>But it having issue and I need to update my inputs.conf on the fly. so Is there any other way to add the monitor dynamically(like the above CLI command).<BR /> In the above case I am able to add the monitor but index parameter is throwing me an error.<BR /> It's a bit urgent for our project, please let us know the solution for the same. </P> <P>Thanks in advance </P> Thu, 24 Nov 2011 05:20:54 GMT gaurav_a 2011-11-24T05:20:54Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-the-log-files-dynamically-from-universal-forwarder-to/m-p/21853#M6782 <P>Hi, <BR /> As I told you earlier, I used the command </P> <P>./splunk add monitor directory-path -index index_name</P> <P>But it having issue and I need to update my inputs.conf on the fly. so Is there any other way to add the monitor dynamically(like the above CLI command).<BR /> In the above case I am able to add the monitor but index parameter is throwing me an error.<BR /> It's a bit urgent for our project, please let us know the solution for the same. </P> <P>Thanks in advance </P> Thu, 24 Nov 2011 05:20:54 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-the-log-files-dynamically-from-universal-forwarder-to/m-p/21853#M6782 gaurav_a 2011-11-24T05:20:54Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-the-log-files-dynamically-from-universal-forwarder-to/m-p/21854#M6783 <P>gaurav_a,</P> <P>The Splunk UF you are running this command from has a condition to test and ensure the index exists prior to routing your data there. This is probably the error you are seeing:</P> <P><EM>In handler 'monitor': Parameter index: Index 'foo1' does not exist. Please provide a valid index.</EM></P> <P>Here are a few options to do this quickly:</P> <UL> <LI>Use the Splunk DeploymentServer to change the path whenever you want. Note: setting up the DepoymentServer initially could take a little time.</LI> <LI>Use a script to change the file at will either remotely or on a remote system</LI> </UL> <P>If you could articulate your use-case, I might have more ideas.</P> <P>Best,<BR /> Sean</P> Thu, 24 Nov 2011 05:38:49 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-the-log-files-dynamically-from-universal-forwarder-to/m-p/21854#M6783 sdwilkerson 2011-11-24T05:38:49Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-the-log-files-dynamically-from-universal-forwarder-to/m-p/21855#M6784 <P>In 4.3.3 and going forward, there is a parameter (<STRONG>check-index</STRONG>) that you can set to make this to happen without getting an error message complaining about the nonexistent index. By setting check-index to false, Universal Forwarder would not require the index to be there to begin with, but this is not the default behavior in 4.3.3.</P> <P>For example:</P> <PRE><CODE>./splunk add monitor /var/log/case1 -index test_case1 -check-index false </CODE></PRE> <P>The <STRONG>default</STRONG> behavior is different depending on the version</P> <UL> <LI>4.3.3 universal forwarder: default check-index is <STRONG>true</STRONG>, which means that it would always check whether the index exists</LI> <LI>4.3.4 universal forwarder: default check-index is <STRONG>true</STRONG>, which means that it would always check whether the index exists</LI> <LI>4.3.5 universal forwarder: default check-index is <STRONG>true</STRONG>, which means that it would always check whether the index exists</LI> <LI>5.0.2 universal forwarder: default check-index is <STRONG>false</STRONG></LI> </UL> Thu, 14 Mar 2013 09:33:36 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-the-log-files-dynamically-from-universal-forwarder-to/m-p/21855#M6784 mic 2013-03-14T09:33:36Z