Getting Data In
Highlighted

Adding text file into splunk

Explorer

I have a script containing ip and value.
Sh basic.sh>>sample.out
Know to get the logs i need to add this sample.out file to splunk like
/opt/splunkforwarder/bin/splunk add monitor sample.out.
Then i the files will comes into splunk..
But the problem is i want that script to be run everyone one hour..everytime adding that output file to splunk is not a good idea..Is there any way to schedule automatically or monitor that output file all the time...
Can anyone help me...

Thank you

0 Karma
Highlighted

Re: Adding text file into splunk

Builder

You can run this script as a scripted input that kicks off on a given cron schedule. Or, if you've scheduled this script to run locally and write to sample.out as you indicated you can have Splunk read sample.out using a monitor input stanza.

Getting Data Into Splunk

Monitoring Files and Directories

0 Karma
Highlighted

Re: Adding text file into splunk

Explorer

[monitor://$SPLUNK_HOME/var/log/splunk]

can i add that output file to this path..

0 Karma
Highlighted

Re: Adding text file into splunk

Explorer

"/opt/splunkforwarder/bin/splunk add monitor filename"
i want to avoid this above thing everytime.
can you give me the correct solution
Thank you

0 Karma
Highlighted

Re: Adding text file into splunk

SplunkTrust
SplunkTrust

Are you saying you want to add it once, and never again?

Or are you saying you want the new data to be loaded every hour when it runs?

0 Karma
Highlighted

Re: Adding text file into splunk

Explorer

Yes..I want to add that script output file sample.out once to the splunk path...
I want to avoid this thing
"/opt/splunkforwarder/bin/splunk add monitor sample.out"..
Splunk has to monitor changes in that outfile automatically

0 Karma
Highlighted

Re: Adding text file into splunk

Splunk Employee
Splunk Employee

Splunk will automatically monitor changes in that outfile automatically!

You can either append data to the file, or create a new file each time, but Splunk will get updates made to it. You just need to use a monitor clause that you've already done with that add monitor command (check etc\system\local\inputs.conf, it should be listed there).

Highlighted

Re: Adding text file into splunk

Explorer

[monitor://$SPLUNK_HOME/var/log/splunk]

this one right?

0 Karma
Highlighted

Re: Adding text file into splunk

Explorer

if i place my output file inside this path SPLUNK_HOME/var/log/splunk...
wiill it detect the changes automatically?

0 Karma
Highlighted

Re: Adding text file into splunk

Splunk Employee
Splunk Employee

Add the following to etc\system\local\inputs.conf

[monitor://path/to/your/file/outfile]
index=main

Refer to http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Inputsconf and http://docs.splunk.com/Documentation/Splunk/6.5.3/Data/WhatSplunkcanmonitor.

View solution in original post

0 Karma