configure splunk to read log files written 4X day

keithwsmith · ‎12-31-2020

I would like to configure splunk to read files stored in a inbound folder. These files are written 4x day, but could be up to 10X day. They files are sent from vendors, and contain a "status". The status field will be used to create a report which will be emailed to users.

The "inbound" folder is used for a number of vendors, so the log file name will be used to separate the vendor data, based on the file name.

Date File Records Status

12/24/2020 0800 log_file_vendorA_122920200800.status 1200 Filed

12/25/2020 1200 log_file_vendorA_122920200800.status 1200 Acknowledgment Sent

12/29/2020 0800 log_file_vendorA_122920200800.status 1200 Acknowledged

richgalloway · ‎01-01-2021

To tell Splunk to read the files, use a monitor stanza in an inputs.conf file. It doesn't matter how often the file is updated, Splunk will read the new data as soon as it arrives.

[monitor:///path/to/inbound/folder]
index = foo
sourcetype = mysourcetype

The props.conf settings for the files will depend on how the events are formatted in the files.

---
If this reply helps you, Karma would be appreciated.

configure splunk to read log files written 4X day

Windows

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

configure splunk to read log files written 4X day

Windows

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard