In splunk enterprise security, I am trying to add data from a directory using 'Monitor'. Files gets created in the directory in real time. So, I want to use 'Monitor' and select 'directory' under 'Files & Directories'.
I ingested the data with one file and it was successful and I am able to search event too.
But upon adding new files in the specified directory, should I assume the splunk will read new files as they come in or do I need to do anything else to make splunk read new data from that directory?
Right now, in the 'Select Source' page, I selected 'Continuously Monitor' option but upon adding new files in the direcory splunk is not reading those since I am not ale to search those events.
Does your Splunk system account have permission to read other files in that directory?
Yes, you are understanding the monitoring concept correctly. If configured correctly, you should not need to do anything else.
New files not being picked up could be caused by a number of issues.
Can you post the contents of your inputs.conf?