Still not documented.
splunk@worker-1:/$ date
Wed May 22 12:53:14 UTC 2019
splunk@worker-1:/$ /opt/splunkforwarder/bin/splunk --version
Splunk Universal Forwarder 7.2.6 (build c0bf0f679ce9)
splunk@worker-1:/$ /opt/splunkforwarder/bin/splunk help add monitor
adds monitor directory and file inputs
Syntax:
add monitor source [-parameter <value>] ...
Objects:
add monitor adds monitor directory and file inputs
Required Parameters:
(For add monitor)
source path to a file or directory whose contents should be indexed by the Splunk server, and then watched for new input. The Splunk server unpacks tarfiles and compressed files.
Optional Parameters:
(For add monitor)
sourcetype source type value to set for events from the source
index a local Splunk index to place events from the source. Note: For forwarding instances of Splunk (which typically do not have local indexes), you have to edit the configuration file (inputs.conf) to specify an input for an index on a remote server.
hostname host name to set as the host value
hostregex regular expression of file path to set as the host value
hostsegmentnum number of segments in the file path to set as the host value
follow-only only read from the end of the file (True|False, default=False)
Examples:
./splunk add monitor /var/log/
./splunk add monitor -source c:\Windows\windowsupdate.log -index newindex
./splunk add monitor -source c:\windows\system32\LogFiles\W3SVC
Type "help [command]" to get help with parameters for a specific command.
Complete documentation is available online at: http://docs.splunk.com/Documentation
... View more