Monitoring files on a local Windows 2008 R2 server...

ceichhorn · ‎04-24-2015

Hi Everyone,

I'm looking to monitor some files locally on the Splunk instance, and I am able to add them as data inputs. However, this monitoring does not seem to be continuous; it logs those files once and then doesn't continue to monitor them even as data is added. Am I doing something wrong? How do I get these to monitor changes to the files? Thanks very much!

This is a Splunk for Windows instance running on Windows 2008 R2.

stephane_cyrill · ‎04-24-2015

CHECK IF THE SOURCE OR THE FILE HAVE NOT BEEN BLACKLISTED.

docs.splunk.com/Documentation/Splunk/6.2.2/Data/Whitelistorblacklistspecificincomingdata

gyslainlatsa · ‎04-24-2015

hi,
following this link: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/WhatSplunkcanmonitor

on page 45, look this specification

Via Splunk Home:

1. Click the Add Data link in Splunk Home.
2. Click Upload to upload a file, Monitor to monitor a file, or Forward to forward a file.
Note: Forwarding a file requires additional setup. See "Set up forwarding and  receiving" in the Forwarding Data manual.

B. Select the input source

1. To add a file or directory input, click Files & Directories.
2. In the File or Directory field, specify the full path to the file or directory. To monitor a shared network drive, enter the following: <myhost>/<mypath> (or  \\<myhost>\<mypath> on Windows). Make sure Splunk Enterprise has read access to the mounted drive, as well as to the files you wish to monitor.
3. Choose how you want Splunk Enterprise to monitor the file:
 ·`Continuously Monitor`. Sets up an ongoing input. Splunk Enterprise
monitors the file continuously for new data. Read the next section for
advanced options specific to this choice.

· `Index Once`. Copies a file on the server into Splunk Enterprise.
4. Click the green Next button.

NOUMSSI · ‎04-24-2015

HI,
when you choose "continuously indexing a file", the path of that file and the name of the file must not change. If one of them change, splunk'll not be able to index that file.
If you respect those conditions and your index file is heavy, be patien because i had files that take me more than 45 mn to be indexed

ceichhorn · ‎04-24-2015

Hi Noumssi,

Where is the "continuously indexing a file" option? I think that's my problem; I can't find that option in Splunk. I am not changing the file name and I have waited 24 hours.

NOUMSSI · ‎04-24-2015

which version of splunk do you use?

ceichhorn · ‎04-24-2015

This is splunk 6.2.

NOUMSSI · ‎04-24-2015

ok
1. click on add data
2. click on monitor
3. files & directories
4. give the path and then click on continuously monitor

ceichhorn · ‎04-24-2015

Thanks Noum, I see it now. I think, however, that option was already chosen. Now I have to figure out why it's not actually updating.

NOUMSSI · ‎04-24-2015

make sure that this option is choosed and wait sometime, the updating'll be done

gyslainlatsa · ‎04-24-2015

hi,
these are the windows files?

ceichhorn · ‎04-24-2015

Yes, I'm sorry -- just edited. These are Windows files. The Splunk Enterprise instance is installed on a Windows 2008 R2 server. These files are stored locally.

Monitoring files on a local Windows 2008 R2 server, why aren't new files getting indexed?

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors