Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you monitor a folder in Splunk for a specific index or source type?

maryamchar
Explorer
‎10-16-2018 04:03 PM

Hello,

I'm new to Splunk. I'm using the Search and Reporting app only. I want to upload data using monitor, however, my question is there a way to monitor a certain folder for a specific source type and Index? I want Splunk to keep monitoring that source type, and that index, all the time and all my files are located on the same folder.

How would i tell Splunk to monitor a certain source type or index ?

Please let me know, if you can show me an example that would be great, Thank you in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2018 06:37 PM

You can't monitor for specific indexes or sourcetypes. You can, however, monitor for specific data using regular expressions. Events that match those expressions can be indexed and everything else can be discarded. See "Route and filter data" at https://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2018 06:37 PM

You can't monitor for specific indexes or sourcetypes. You can, however, monitor for specific data using regular expressions. Events that match those expressions can be indexed and everything else can be discarded. See "Route and filter data" at https://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

maryamchar
Explorer
‎10-17-2018 07:50 AM

Thank you! Can you monitor an entire folder instead that has a lot of files that keep coming to that folder ? using the monitor (add data) tool. ? If yes how should i approch that ? Thank you!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2018 07:42 PM

Yes, you can monitor a directory as well as individual files. Using the Add Data tool, select the Monitor option followed by "Files & Directories". The rest should be self-explanatory.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

maryamchar
Explorer
‎10-18-2018 07:40 AM

Thank you! But each of those files in that directory of folder, can't have it's own sourcetype name correct ?
I'm trying to find if there is a way to set each of those files to have it's own sourcetype name, and all of them have CSV as sourcetype as well. But as of now i can only set one sourcetype name but thats for all my files not a specific one.
Also, what does the blacklist and whitelist do in this case ? Again thank you for your respose i appreciate it!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2018 05:33 AM

Generally speaking, yes, each monitor stanza specifies a single sourcetype. There are ways to use transforms.conf to change that, though.
Whitelist and blacklist tell Splunk which files in the directory it should read or ignore, respectively.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...