Getting Data In

How to check a directory is being indexed (Monitor a Directory)

AccentureQBETA
Path Finder

Hi,

I'm trying to get to grips with splunk to evaluate it for a company I work for.. I'm having trouble doing some basic tasks though. I've read quite a bit of the documentation and understand splunk from a high level. It looks like it should be a beautiful solution.

I want a basic set up to start with. I would like to just index 4 Apache tom cat access logs (Apache's IIS Logs).

I've installed Splunk on a local machine and created a local folder to drop the files into (we have 4 servers for an application, each creating 1 log per day).

I've setup a data input via web interface (added a regex expression for the host too).

I see from $SPLUNK_HOME/en-GB/manager/search/data/inputs/monitor the Data Input I added and it says 4 under the Number of files

But I don't see anything for those 4 files under the Sources, Source types and Hosts when I look here: $SPLUNK_HOME/en-GB/app/search/dashboard_live

So to me, it doesn't look like the files have been indexed for searching? I could do with knowning how you monitoring loading(indexing) to see when a file have been parsed, indexed and with what host, source, source type and how the events look for those files?

Another thing I was looking into was the inputs.conf file, in Splunk\etc\system\local, I believe once I set up a datainput it should add a monitoring line in here? But It looks a little empty with just several one liners and looks nothing like the file from
Splunk\etc\system\default

0 Karma
1 Solution

joshpreston
New Member

Most useless thread. EVER.

0 Karma

AccentureQBETA
Path Finder

Why don't you post something useful and constructive. Make the thread useful for others...

I now just run searches on indexies being indexed to. Normally a count of all requests per day and just hope splunk has indexed all the events properly (or as I expect).

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

User WIndows Explorer and search for inputs.conf. I thought linux, but you are on Windows.

0 Karma

AccentureQBETA
Path Finder

C:\Program Files\Splunk\etc\apps>find . -name "inputs.conf" -print
Access denied - .
File not found - -NAME
File not found - -PRINT

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

In a nutshell, if you are in an app, let's say the search app, and then you go to manager/data inputs, the inputs.conf will be located in $SPLUNK_HOME\etc\apps\search\local. If you are in another app, the inputs.conf will be in another apps local directory. Are you on a linux box?

Go to $SPLUNK_HOME\etc\apps and search using Windows Explorer for inputs.conf files.

Nothing is every going to be in the directories that you listed above for your use cases.

0 Karma

AccentureQBETA
Path Finder

I'll read through this and see if I get my answers. Thank you for the reply.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...