Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add a new directory to continuously monitor and create a new sourcetype from Splunk Web?

kwanx
Explorer
‎10-15-2015 12:02 PM

Hello!

This most likely is operator error, but not sure; don't seem to be able to do this in one GUI effort.

Using: Settings-->Data Inputs-->Add new (Files & directories)

If I select a Single File:
Able to "Set Sourcetype"

If I select a Directory:
"Data preview will be skipped, it is not supported for directories."
Not able to "Set Sourcetype"

Trying to, from the GUI: 1) Add new Directory 2) Set it to Continuously Monitor 3) Create new source type (and adjust setting such as time stamp look ahead)

Maybe I am supposed to create a new source type first with a sample file, and then create a new file/directory monitoring while selecting the existing source type previously created?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2015 12:21 PM

If you select Single File you can set a sourcetype. After you have your settings the way to want them you'll have the option to monitor the file, monitor the directory, or import the file. Choose the directory option.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kwanx
Explorer
‎10-15-2015 01:03 PM

Thank you Rich. I assumed (perhaps incorrectly) that if I selected /path/to/file.txt, then it would only look for file.txt when selecting continuously monitor? Would it also find file2.txt file3.txt...?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2015 02:28 PM

I believe Splunk is smart enough to figure out what to monitor when you elect to watch a directory rather than a single file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...