Can splunk search/monitor files that are not index...

MikeStorms · ‎05-07-2018

Is it possible to search/monitor non-indexed files? We create daily status files and we like to present the contents of the file on a dashboard. Basically, display the file contents, it is a non-indexed file, and a new one is created everyday.

Thanks!

jconger · ‎05-07-2018

If you just want to show the contents of the file on a dashboard, you could use jQuery ajax. Here is an example:

Simple XML dashboard:

<dashboard script="external_display.js">
  <label>Test External Content</label>
  <row>
    <panel>
      <html>
        <div id="my_content"></div>
      </html>
    </panel>
  </row>
</dashboard>

external_display.js:

require(["jquery", "splunkjs/mvc/simplexml/ready!"], function($) {
    $.ajax({
        url: 'http://localhost:8000/en-US/static/app/search/my_file.txt',
        success: function(data) {
            $('#my_content').html(data)
        }
    });
});

Note: external_display.js and my_file.txt reside in $SPLUNK_HOME/etc/apps/search/appserver/static. You could use any URL that is accessible by the Splunk web server (even file system paths).

xpac · ‎05-07-2018

Data has to either indexed or in a lookup file to be displayable. Lookups also have to be in CSV format.
The only other alternative would be to script a custom search command that can read content from disk when called.

Therefore you need to do either of this.
I'd advise to monitor a directory and put your files in that directory, and then read them from there.

Can splunk search/monitor files that are not indexed?

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI