Monitoring Splunk

Monitoring the log files dynamically from universal forwarder to splunk indexer to specific index

gaurav_a
New Member

Hi,
As I told you earlier, I used the command

./splunk add monitor directory-path -index index_name

But it having issue and I need to update my inputs.conf on the fly. so Is there any other way to add the monitor dynamically(like the above CLI command).
In the above case I am able to add the monitor but index parameter is throwing me an error.
It's a bit urgent for our project, please let us know the solution for the same.

Thanks in advance

0 Karma

mic
Splunk Employee
Splunk Employee

In 4.3.3 and going forward, there is a parameter (check-index) that you can set to make this to happen without getting an error message complaining about the nonexistent index. By setting check-index to false, Universal Forwarder would not require the index to be there to begin with, but this is not the default behavior in 4.3.3.

For example:

./splunk add monitor /var/log/case1 -index test_case1 -check-index false

The default behavior is different depending on the version

  • 4.3.3 universal forwarder: default check-index is true, which means that it would always check whether the index exists
  • 4.3.4 universal forwarder: default check-index is true, which means that it would always check whether the index exists
  • 4.3.5 universal forwarder: default check-index is true, which means that it would always check whether the index exists
  • 5.0.2 universal forwarder: default check-index is false
0 Karma

sdwilkerson
Contributor

gaurav_a,

The Splunk UF you are running this command from has a condition to test and ensure the index exists prior to routing your data there. This is probably the error you are seeing:

In handler 'monitor': Parameter index: Index 'foo1' does not exist. Please provide a valid index.

Here are a few options to do this quickly:

  • Use the Splunk DeploymentServer to change the path whenever you want. Note: setting up the DepoymentServer initially could take a little time.
  • Use a script to change the file at will either remotely or on a remote system

If you could articulate your use-case, I might have more ideas.

Best,
Sean

0 Karma
Get Updates on the Splunk Community!

Edge Processor | New Resiliency Improvements & Support for Additional Data Sources

We are excited to announce several exciting updates for Edge Processor aimed at hardening overall product ...

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...