configure splunk to read log files written 4X day

keithwsmith · ‎12-31-2020

I would like to configure splunk to read files stored in a inbound folder. These files are written 4x day, but could be up to 10X day. They files are sent from vendors, and contain a "status". The status field will be used to create a report which will be emailed to users.

The "inbound" folder is used for a number of vendors, so the log file name will be used to separate the vendor data, based on the file name.

Date File Records Status

12/24/2020 0800 log_file_vendorA_122920200800.status 1200 Filed

12/25/2020 1200 log_file_vendorA_122920200800.status 1200 Acknowledgment Sent

12/29/2020 0800 log_file_vendorA_122920200800.status 1200 Acknowledged

richgalloway · ‎01-01-2021

To tell Splunk to read the files, use a monitor stanza in an inputs.conf file. It doesn't matter how often the file is updated, Splunk will read the new data as soon as it arrives.

[monitor:///path/to/inbound/folder]
index = foo
sourcetype = mysourcetype

The props.conf settings for the files will depend on how the events are formatted in the files.

---
If this reply helps you, Karma would be appreciated.

configure splunk to read log files written 4X day

Windows

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!