How to add a new directory to continuously monitor...

kwanx · ‎10-15-2015

Hello!

This most likely is operator error, but not sure; don't seem to be able to do this in one GUI effort.

Using: Settings-->Data Inputs-->Add new (Files & directories)

If I select a Single File:
Able to "Set Sourcetype"

If I select a Directory:
"Data preview will be skipped, it is not supported for directories."
Not able to "Set Sourcetype"

Trying to, from the GUI: 1) Add new Directory 2) Set it to Continuously Monitor 3) Create new source type (and adjust setting such as time stamp look ahead)

Maybe I am supposed to create a new source type first with a sample file, and then create a new file/directory monitoring while selecting the existing source type previously created?

richgalloway · ‎10-15-2015

If you select Single File you can set a sourcetype. After you have your settings the way to want them you'll have the option to monitor the file, monitor the directory, or import the file. Choose the directory option.

---
If this reply helps you, Karma would be appreciated.

kwanx · ‎10-15-2015

Thank you Rich. I assumed (perhaps incorrectly) that if I selected /path/to/file.txt, then it would only look for file.txt when selecting continuously monitor? Would it also find file2.txt file3.txt...?

richgalloway · ‎10-15-2015

I believe Splunk is smart enough to figure out what to monitor when you elect to watch a directory rather than a single file.

---
If this reply helps you, Karma would be appreciated.

How to add a new directory to continuously monitor and create a new sourcetype from Splunk Web?

Buttercup Games: Further Dashboarding Techniques (Part 3)

Digital Resilience Assessment Launch | How prepared are you for disruption?

Buttercup Games: Further Dashboarding Techniques (Part 2)