I have a script containing ip and value.
Sh basic.sh>>sample.out
Know to get the logs i need to add this sample.out file to splunk like
/opt/splunkforwarder/bin/splunk add monitor sample.out.
Then i the files will comes into splunk..
But the problem is i want that script to be run everyone one hour..everytime adding that output file to splunk is not a good idea..Is there any way to schedule automatically or monitor that output file all the time...
Can anyone help me...
Thank you
Add the following to etc\system\local\inputs.conf
[monitor://path/to/your/file/outfile]
index=main
Refer to http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Inputsconf and http://docs.splunk.com/Documentation/Splunk/6.5.3/Data/WhatSplunkcanmonitor.
Add the following to etc\system\local\inputs.conf
[monitor://path/to/your/file/outfile]
index=main
Refer to http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Inputsconf and http://docs.splunk.com/Documentation/Splunk/6.5.3/Data/WhatSplunkcanmonitor.
[monitor://$SPLUNK_HOME/var/log/splunk/outputfile]
index=my_log_index_name
Thats it right??
Are you saying you want to add it once, and never again?
Or are you saying you want the new data to be loaded every hour when it runs?
Yes..I want to add that script output file sample.out once to the splunk path...
I want to avoid this thing
"/opt/splunkforwarder/bin/splunk add monitor sample.out"..
Splunk has to monitor changes in that outfile automatically
Splunk will automatically monitor changes in that outfile automatically!
You can either append data to the file, or create a new file each time, but Splunk will get updates made to it. You just need to use a monitor clause that you've already done with that add monitor command (check etc\system\local\inputs.conf, it should be listed there).
[monitor://$SPLUNK_HOME/var/log/splunk]
this one right?
if i place my output file inside this path SPLUNK_HOME/var/log/splunk...
wiill it detect the changes automatically?
You can run this script as a scripted input that kicks off on a given cron schedule. Or, if you've scheduled this script to run locally and write to sample.out as you indicated you can have Splunk read sample.out using a monitor input stanza.
"/opt/splunkforwarder/bin/splunk add monitor filename"
i want to avoid this above thing everytime.
can you give me the correct solution
Thank you
[monitor://$SPLUNK_HOME/var/log/splunk]
can i add that output file to this path..