Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I add new text file everyday?

maha110192
Explorer
‎02-18-2022 09:37 PM

Hello splunkies!

I'm trying to be and admin and I'm doing an exercise but I cannot find the way to configure my inputs.conf

here the exercise:

path:  /logfiles/syslog/training-nix01.txt

This file will be updated continuously and will roll daily to training-nix01.1, training-nix01.1 etc

Data from these files should be written to

Index: Training

Sourcetype: tp:tr 

 

any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-18-2022 10:35 PM

Hi @maha110192,

here you can find the full documentation about Gettin Data in https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain , here you can find the documentation about your Use Case https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Monitorfilesanddirectories

In few words, you have to configure the inputs.conf file and you have two ways to do this:

  • by GUI if the file is in the same Splunk Server,
  • manually modifying the inputs.conf file if the file is in a different server wher you have a Universal Forwarder.

in both cases, you'll have a new stanza in inputs.conf stanza:

[monitor://logfiles/syslog/training-nix*]
disabled = 0
index = Training
sourcetype = tp:tr

if you manually modify the inputs.conf file, you have to restart Splunk on the system where the file is located.

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution

maha110192
Explorer
‎02-18-2022 10:46 PM

Thank you very much @gcusello I was doing everthing right except the way to get a new text file daily.

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-18-2022 10:35 PM

Hi @maha110192,

here you can find the full documentation about Gettin Data in https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain , here you can find the documentation about your Use Case https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Monitorfilesanddirectories

In few words, you have to configure the inputs.conf file and you have two ways to do this:

  • by GUI if the file is in the same Splunk Server,
  • manually modifying the inputs.conf file if the file is in a different server wher you have a Universal Forwarder.

in both cases, you'll have a new stanza in inputs.conf stanza:

[monitor://logfiles/syslog/training-nix*]
disabled = 0
index = Training
sourcetype = tp:tr

if you manually modify the inputs.conf file, you have to restart Splunk on the system where the file is located.

Ciao.

Giuseppe

 

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...