Hi,
As I told you earlier, I used the command
./splunk add monitor directory-path -index index_name
But it having issue and I need to update my inputs.conf on the fly. so Is there any other way to add the monitor dynamically(like the above CLI command).
In the above case I am able to add the monitor but index parameter is throwing me an error.
It's a bit urgent for our project, please let us know the solution for the same.
Thanks in advance
In 4.3.3 and going forward, there is a parameter (check-index) that you can set to make this to happen without getting an error message complaining about the nonexistent index. By setting check-index to false, Universal Forwarder would not require the index to be there to begin with, but this is not the default behavior in 4.3.3.
For example:
./splunk add monitor /var/log/case1 -index test_case1 -check-index false
The default behavior is different depending on the version
gaurav_a,
The Splunk UF you are running this command from has a condition to test and ensure the index exists prior to routing your data there. This is probably the error you are seeing:
In handler 'monitor': Parameter index: Index 'foo1' does not exist. Please provide a valid index.
Here are a few options to do this quickly:
If you could articulate your use-case, I might have more ideas.
Best,
Sean