Getting Data In

How to add a new directory to continuously monitor and create a new sourcetype from Splunk Web?

Explorer

Hello!

This most likely is operator error, but not sure; don't seem to be able to do this in one GUI effort.

Using: Settings-->Data Inputs-->Add new (Files & directories)

If I select a Single File:
Able to "Set Sourcetype"

If I select a Directory:
"Data preview will be skipped, it is not supported for directories."
Not able to "Set Sourcetype"

Trying to, from the GUI: 1) Add new Directory 2) Set it to Continuously Monitor 3) Create new source type (and adjust setting such as time stamp look ahead)

Maybe I am supposed to create a new source type first with a sample file, and then create a new file/directory monitoring while selecting the existing source type previously created?

0 Karma

SplunkTrust
SplunkTrust

If you select Single File you can set a sourcetype. After you have your settings the way to want them you'll have the option to monitor the file, monitor the directory, or import the file. Choose the directory option.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

Thank you Rich. I assumed (perhaps incorrectly) that if I selected /path/to/file.txt, then it would only look for file.txt when selecting continuously monitor? Would it also find file2.txt file3.txt...?

0 Karma

SplunkTrust
SplunkTrust

I believe Splunk is smart enough to figure out what to monitor when you elect to watch a directory rather than a single file.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!