This most likely is operator error, but not sure; don't seem to be able to do this in one GUI effort.
Using: Settings-->Data Inputs-->Add new (Files & directories)
If I select a Single File:
Able to "Set Sourcetype"
If I select a Directory:
"Data preview will be skipped, it is not supported for directories."
Not able to "Set Sourcetype"
Trying to, from the GUI: 1) Add new Directory 2) Set it to Continuously Monitor 3) Create new source type (and adjust setting such as time stamp look ahead)
Maybe I am supposed to create a new source type first with a sample file, and then create a new file/directory monitoring while selecting the existing source type previously created?
If you select Single File you can set a sourcetype. After you have your settings the way to want them you'll have the option to monitor the file, monitor the directory, or import the file. Choose the directory option.
Thank you Rich. I assumed (perhaps incorrectly) that if I selected /path/to/file.txt, then it would only look for file.txt when selecting continuously monitor? Would it also find file2.txt file3.txt...?
I believe Splunk is smart enough to figure out what to monitor when you elect to watch a directory rather than a single file.