Getting Data In

How to check a directory is being indexed (Monitor a Directory)

AccentureQBETA
Path Finder

Hi,

I'm trying to get to grips with splunk to evaluate it for a company I work for.. I'm having trouble doing some basic tasks though. I've read quite a bit of the documentation and understand splunk from a high level. It looks like it should be a beautiful solution.

I want a basic set up to start with. I would like to just index 4 Apache tom cat access logs (Apache's IIS Logs).

I've installed Splunk on a local machine and created a local folder to drop the files into (we have 4 servers for an application, each creating 1 log per day).

I've setup a data input via web interface (added a regex expression for the host too).

I see from $SPLUNK_HOME/en-GB/manager/search/data/inputs/monitor the Data Input I added and it says 4 under the Number of files

But I don't see anything for those 4 files under the Sources, Source types and Hosts when I look here: $SPLUNK_HOME/en-GB/app/search/dashboard_live

So to me, it doesn't look like the files have been indexed for searching? I could do with knowning how you monitoring loading(indexing) to see when a file have been parsed, indexed and with what host, source, source type and how the events look for those files?

Another thing I was looking into was the inputs.conf file, in Splunk\etc\system\local, I believe once I set up a datainput it should add a monitoring line in here? But It looks a little empty with just several one liners and looks nothing like the file from
Splunk\etc\system\default

0 Karma
1 Solution

joshpreston
New Member

Most useless thread. EVER.

0 Karma

AccentureQBETA
Path Finder

Why don't you post something useful and constructive. Make the thread useful for others...

I now just run searches on indexies being indexed to. Normally a count of all requests per day and just hope splunk has indexed all the events properly (or as I expect).

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

User WIndows Explorer and search for inputs.conf. I thought linux, but you are on Windows.

0 Karma

AccentureQBETA
Path Finder

C:\Program Files\Splunk\etc\apps>find . -name "inputs.conf" -print
Access denied - .
File not found - -NAME
File not found - -PRINT

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

In a nutshell, if you are in an app, let's say the search app, and then you go to manager/data inputs, the inputs.conf will be located in $SPLUNK_HOME\etc\apps\search\local. If you are in another app, the inputs.conf will be in another apps local directory. Are you on a linux box?

Go to $SPLUNK_HOME\etc\apps and search using Windows Explorer for inputs.conf files.

Nothing is every going to be in the directories that you listed above for your use cases.

0 Karma

AccentureQBETA
Path Finder

I'll read through this and see if I get my answers. Thank you for the reply.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...