Getting Data In

How to check a directory is being indexed (Monitor a Directory)

AccentureQBETA
Path Finder

Hi,

I'm trying to get to grips with splunk to evaluate it for a company I work for.. I'm having trouble doing some basic tasks though. I've read quite a bit of the documentation and understand splunk from a high level. It looks like it should be a beautiful solution.

I want a basic set up to start with. I would like to just index 4 Apache tom cat access logs (Apache's IIS Logs).

I've installed Splunk on a local machine and created a local folder to drop the files into (we have 4 servers for an application, each creating 1 log per day).

I've setup a data input via web interface (added a regex expression for the host too).

I see from $SPLUNK_HOME/en-GB/manager/search/data/inputs/monitor the Data Input I added and it says 4 under the Number of files

But I don't see anything for those 4 files under the Sources, Source types and Hosts when I look here: $SPLUNK_HOME/en-GB/app/search/dashboard_live

So to me, it doesn't look like the files have been indexed for searching? I could do with knowning how you monitoring loading(indexing) to see when a file have been parsed, indexed and with what host, source, source type and how the events look for those files?

Another thing I was looking into was the inputs.conf file, in Splunk\etc\system\local, I believe once I set up a datainput it should add a monitoring line in here? But It looks a little empty with just several one liners and looks nothing like the file from
Splunk\etc\system\default

0 Karma
1 Solution

joshpreston
New Member

Most useless thread. EVER.

0 Karma

AccentureQBETA
Path Finder

Why don't you post something useful and constructive. Make the thread useful for others...

I now just run searches on indexies being indexed to. Normally a count of all requests per day and just hope splunk has indexed all the events properly (or as I expect).

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

User WIndows Explorer and search for inputs.conf. I thought linux, but you are on Windows.

0 Karma

AccentureQBETA
Path Finder

C:\Program Files\Splunk\etc\apps>find . -name "inputs.conf" -print
Access denied - .
File not found - -NAME
File not found - -PRINT

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

In a nutshell, if you are in an app, let's say the search app, and then you go to manager/data inputs, the inputs.conf will be located in $SPLUNK_HOME\etc\apps\search\local. If you are in another app, the inputs.conf will be in another apps local directory. Are you on a linux box?

Go to $SPLUNK_HOME\etc\apps and search using Windows Explorer for inputs.conf files.

Nothing is every going to be in the directories that you listed above for your use cases.

0 Karma

AccentureQBETA
Path Finder

I'll read through this and see if I get my answers. Thank you for the reply.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...