Getting Data In

How to check a directory is being indexed (Monitor a Directory)

AccentureQBETA
Path Finder

Hi,

I'm trying to get to grips with splunk to evaluate it for a company I work for.. I'm having trouble doing some basic tasks though. I've read quite a bit of the documentation and understand splunk from a high level. It looks like it should be a beautiful solution.

I want a basic set up to start with. I would like to just index 4 Apache tom cat access logs (Apache's IIS Logs).

I've installed Splunk on a local machine and created a local folder to drop the files into (we have 4 servers for an application, each creating 1 log per day).

I've setup a data input via web interface (added a regex expression for the host too).

I see from $SPLUNK_HOME/en-GB/manager/search/data/inputs/monitor the Data Input I added and it says 4 under the Number of files

But I don't see anything for those 4 files under the Sources, Source types and Hosts when I look here: $SPLUNK_HOME/en-GB/app/search/dashboard_live

So to me, it doesn't look like the files have been indexed for searching? I could do with knowning how you monitoring loading(indexing) to see when a file have been parsed, indexed and with what host, source, source type and how the events look for those files?

Another thing I was looking into was the inputs.conf file, in Splunk\etc\system\local, I believe once I set up a datainput it should add a monitoring line in here? But It looks a little empty with just several one liners and looks nothing like the file from
Splunk\etc\system\default

0 Karma
1 Solution

joshpreston
New Member

Most useless thread. EVER.

0 Karma

AccentureQBETA
Path Finder

Why don't you post something useful and constructive. Make the thread useful for others...

I now just run searches on indexies being indexed to. Normally a count of all requests per day and just hope splunk has indexed all the events properly (or as I expect).

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

User WIndows Explorer and search for inputs.conf. I thought linux, but you are on Windows.

0 Karma

AccentureQBETA
Path Finder

C:\Program Files\Splunk\etc\apps>find . -name "inputs.conf" -print
Access denied - .
File not found - -NAME
File not found - -PRINT

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

In a nutshell, if you are in an app, let's say the search app, and then you go to manager/data inputs, the inputs.conf will be located in $SPLUNK_HOME\etc\apps\search\local. If you are in another app, the inputs.conf will be in another apps local directory. Are you on a linux box?

Go to $SPLUNK_HOME\etc\apps and search using Windows Explorer for inputs.conf files.

Nothing is every going to be in the directories that you listed above for your use cases.

0 Karma

AccentureQBETA
Path Finder

I'll read through this and see if I get my answers. Thank you for the reply.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...