Getting Data In

Adding text file into splunk

prathapkcsc
Explorer

I have a script containing ip and value.
Sh basic.sh>>sample.out
Know to get the logs i need to add this sample.out file to splunk like
/opt/splunkforwarder/bin/splunk add monitor sample.out.
Then i the files will comes into splunk..
But the problem is i want that script to be run everyone one hour..everytime adding that output file to splunk is not a good idea..Is there any way to schedule automatically or monitor that output file all the time...
Can anyone help me...

Thank you

0 Karma
1 Solution

sduff_splunk
Splunk Employee
Splunk Employee

Add the following to etc\system\local\inputs.conf

[monitor://path/to/your/file/outfile]
index=main

Refer to http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Inputsconf and http://docs.splunk.com/Documentation/Splunk/6.5.3/Data/WhatSplunkcanmonitor.

View solution in original post

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Add the following to etc\system\local\inputs.conf

[monitor://path/to/your/file/outfile]
index=main

Refer to http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Inputsconf and http://docs.splunk.com/Documentation/Splunk/6.5.3/Data/WhatSplunkcanmonitor.

0 Karma

prathapkcsc
Explorer

[monitor://$SPLUNK_HOME/var/log/splunk/outputfile]
index=my_log_index_name

Thats it right??

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Are you saying you want to add it once, and never again?

Or are you saying you want the new data to be loaded every hour when it runs?

0 Karma

prathapkcsc
Explorer

Yes..I want to add that script output file sample.out once to the splunk path...
I want to avoid this thing
"/opt/splunkforwarder/bin/splunk add monitor sample.out"..
Splunk has to monitor changes in that outfile automatically

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Splunk will automatically monitor changes in that outfile automatically!

You can either append data to the file, or create a new file each time, but Splunk will get updates made to it. You just need to use a monitor clause that you've already done with that add monitor command (check etc\system\local\inputs.conf, it should be listed there).

prathapkcsc
Explorer

[monitor://$SPLUNK_HOME/var/log/splunk]

this one right?

0 Karma

prathapkcsc
Explorer

if i place my output file inside this path SPLUNK_HOME/var/log/splunk...
wiill it detect the changes automatically?

0 Karma

dflodstrom
Builder

You can run this script as a scripted input that kicks off on a given cron schedule. Or, if you've scheduled this script to run locally and write to sample.out as you indicated you can have Splunk read sample.out using a monitor input stanza.

Getting Data Into Splunk

Monitoring Files and Directories

0 Karma

prathapkcsc
Explorer

"/opt/splunkforwarder/bin/splunk add monitor filename"
i want to avoid this above thing everytime.
can you give me the correct solution
Thank you

0 Karma

prathapkcsc
Explorer

[monitor://$SPLUNK_HOME/var/log/splunk]

can i add that output file to this path..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...