Getting Data In

How do you monitor a folder in Splunk for a specific index or source type?

maryamchar
Explorer

Hello,

I'm new to Splunk. I'm using the Search and Reporting app only. I want to upload data using monitor, however, my question is there a way to monitor a certain folder for a specific source type and Index? I want Splunk to keep monitoring that source type, and that index, all the time and all my files are located on the same folder.

How would i tell Splunk to monitor a certain source type or index ?

Please let me know, if you can show me an example that would be great, Thank you in advance!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You can't monitor for specific indexes or sourcetypes. You can, however, monitor for specific data using regular expressions. Events that match those expressions can be indexed and everything else can be discarded. See "Route and filter data" at https://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can't monitor for specific indexes or sourcetypes. You can, however, monitor for specific data using regular expressions. Events that match those expressions can be indexed and everything else can be discarded. See "Route and filter data" at https://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad.

---
If this reply helps you, Karma would be appreciated.
0 Karma

maryamchar
Explorer

Thank you! Can you monitor an entire folder instead that has a lot of files that keep coming to that folder ? using the monitor (add data) tool. ? If yes how should i approch that ? Thank you!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you can monitor a directory as well as individual files. Using the Add Data tool, select the Monitor option followed by "Files & Directories". The rest should be self-explanatory.

---
If this reply helps you, Karma would be appreciated.
0 Karma

maryamchar
Explorer

Thank you! But each of those files in that directory of folder, can't have it's own sourcetype name correct ?
I'm trying to find if there is a way to set each of those files to have it's own sourcetype name, and all of them have CSV as sourcetype as well. But as of now i can only set one sourcetype name but thats for all my files not a specific one.
Also, what does the blacklist and whitelist do in this case ? Again thank you for your respose i appreciate it!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Generally speaking, yes, each monitor stanza specifies a single sourcetype. There are ways to use transforms.conf to change that, though.
Whitelist and blacklist tell Splunk which files in the directory it should read or ignore, respectively.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...