Getting Data In

Monitoring files on a local Windows 2008 R2 server, why aren't new files getting indexed?

ceichhorn
Engager

Hi Everyone,

I'm looking to monitor some files locally on the Splunk instance, and I am able to add them as data inputs. However, this monitoring does not seem to be continuous; it logs those files once and then doesn't continue to monitor them even as data is added. Am I doing something wrong? How do I get these to monitor changes to the files? Thanks very much!

This is a Splunk for Windows instance running on Windows 2008 R2.

0 Karma

stephane_cyrill
Builder

CHECK IF THE SOURCE OR THE FILE HAVE NOT BEEN BLACKLISTED.

docs.splunk.com/Documentation/Splunk/6.2.2/Data/Whitelistorblacklistspecificincomingdata

0 Karma

gyslainlatsa
Motivator

hi,
following this link: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/WhatSplunkcanmonitor

on page 45, look this specification

Via Splunk Home:

1. Click the Add Data link in Splunk Home.
2. Click Upload to upload a file, Monitor to monitor a file, or Forward to forward a file.
Note: Forwarding a file requires additional setup. See "Set up forwarding and  receiving" in the Forwarding Data manual.

B. Select the input source

1. To add a file or directory input, click Files & Directories.
2. In the File or Directory field, specify the full path to the file or directory. To monitor a shared network drive, enter the following: <myhost>/<mypath> (or  \\<myhost>\<mypath> on Windows). Make sure Splunk Enterprise has read access to the mounted drive, as well as to the files you wish to monitor.
3. Choose how you want Splunk Enterprise to monitor the file:
 ·`Continuously Monitor`. Sets up an ongoing input. Splunk Enterprise
monitors the file continuously for new data. Read the next section for
advanced options specific to this choice.

· `Index Once`. Copies a file on the server into Splunk Enterprise.
4. Click the green Next button.
0 Karma

NOUMSSI
Builder

HI,
when you choose "continuously indexing a file", the path of that file and the name of the file must not change. If one of them change, splunk'll not be able to index that file.
If you respect those conditions and your index file is heavy, be patien because i had files that take me more than 45 mn to be indexed

0 Karma

ceichhorn
Engager

Hi Noumssi,

Where is the "continuously indexing a file" option? I think that's my problem; I can't find that option in Splunk. I am not changing the file name and I have waited 24 hours.

0 Karma

NOUMSSI
Builder

which version of splunk do you use?

0 Karma

ceichhorn
Engager

This is splunk 6.2.

0 Karma

NOUMSSI
Builder

ok
1. click on add data
2. click on monitor
3. files & directories
4. give the path and then click on continuously monitor

0 Karma

ceichhorn
Engager

Thanks Noum, I see it now. I think, however, that option was already chosen. Now I have to figure out why it's not actually updating.

0 Karma

NOUMSSI
Builder

make sure that this option is choosed and wait sometime, the updating'll be done

0 Karma

gyslainlatsa
Motivator

hi,
these are the windows files?

0 Karma

ceichhorn
Engager

Yes, I'm sorry -- just edited. These are Windows files. The Splunk Enterprise instance is installed on a Windows 2008 R2 server. These files are stored locally.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...