Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

newbie splunk

pnikhade
Explorer
3 weeks ago

Hi Team,

I have installed Splunk forwarder on an EC2 instance which has httpd running over it. Now, the problem here is that the httpd folder, is not visible over Splunk UI. Based on my understanding, when I go to Data summary -> sources the folder wont show.

Can you please help me here so as to why that folder not available ?

 

Thanks,

Piyush

0 Karma
Reply

pnikhade
Explorer
3 weeks ago

Okay understood, but what about the below command, will it not add any input for the forwarder to monitor ?

./splunk add monitor /var/log/httpd/

Kindly let me know thanks.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Thats right @pnikhade but you should also add the intended index and sourcetype using something like this:

./splunk add monitor /var/log/httpd/ -index yourIndexName -sourcetype apache:access

Adjust accordingly of course!

This assumes you are not managing the server using a Deployment Server.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PrewinThomas
Motivator
3 weeks ago

@pnikhade 

Yes. Splunk will start monitoring that directory, but unless you explicitly specify the index and sourcetype, it will default to the main index and try to auto-detect the sourcetype, which may not be ideal for structured logs like Apache access logs.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @pnikhade 

The Data summary -> sources shows sources which Splunk is receiving/monitoring and does not automatically log your httpd logs unless you have already specified it.

You need to:

1. Add a monitoring input on the forwarder that watches that folder.
2. Ensure the forwarder can read the files (permissions, ownership).
3. Verify that the forwarder actually forwards those events to your indexer and that the index is receiving data.

There are a number of ways to create the input, such as using conf files (See example below):

$SPLUNK_HOME/etc/system/local/inputs.conf (or the appropriate app workspace) on the forwarder:

[monitor:///var/log/httpd]
disabled = false
# Update index as required
index = main 
sourcetype = apache:access

Replace `/var/log/httpd` with your actual Apache log path (e.g., `/var/www/html/httpd` if that is what you want).

If you only want to monitor your Apache logs, use the standard Apache sourcetype or create a custom one.

After editing, restart the forwarder: $SPLUNK_HOME/bin/splunk restart

Check file permissions

The Splunk user that runs the forwarder (often `splunk` or `splunkfwd`) must have read access to the logs:

sudo -u splunk ls -l /var/log/httpd

If it reports “Permission denied,” change ownership or adjust ACLs accordingly.

Verify the data actually arrives, On the forwarder, run $SPLUNK_HOME/bin/splunk list btool inputs --debug
to verify the stanza is active.

Check the forwarder’s $SPLUNK_HOME/var/log/splunk/splunkd.log for errors when reading the folder.

Once the forwarder is correctly monitoring the folder, you will see events populated in the selected index, and the “Data   Summary  -> Sources” view will show the logs from that folder.

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

PrewinThomas
Motivator
3 weeks ago

@pnikhade 

Splunk UF doesn’t automatically monitor folders. Did you add/configure any input(inputs.conf) for this?
Also does this folder have any readable files?

#https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.3/get-data-from-files-and-dir...

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...