splunk enterprise add data - monitor - how to fetc...

vnarapuram · ‎12-16-2019

In splunk enterprise security, I am trying to add data from a directory using 'Monitor'. Files gets created in the directory in real time. So, I want to use 'Monitor' and select 'directory' under 'Files & Directories'.
I ingested the data with one file and it was successful and I am able to search event too.
But upon adding new files in the specified directory, should I assume the splunk will read new files as they come in or do I need to do anything else to make splunk read new data from that directory?
Right now, in the 'Select Source' page, I selected 'Continuously Monitor' option but upon adding new files in the direcory splunk is not reading those since I am not ale to search those events.

martynoconnor · ‎12-21-2019

Does your Splunk system account have permission to read other files in that directory?

codebuilder · ‎12-18-2019

Yes, you are understanding the monitoring concept correctly. If configured correctly, you should not need to do anything else.
New files not being picked up could be caused by a number of issues.
Can you post the contents of your inputs.conf?

----
An upvote would be appreciated and Accept Solution if it helps!

splunk enterprise add data - monitor - how to fetch data in real time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life