Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Monitor files and directories using the CLI

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

Monitor files and directories using the CLI

Monitor files and directories via Splunk's Command Line Interface (CLI). To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command from the UNIX or Windows command prompt.

If you get stuck, Splunk's CLI has built-in help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well -- type splunk help <command>.

CLI commands for input configuration

The following commands are available for input configuration via the CLI:

Command Command syntax Action
add add monitor $SOURCE [-parameter value] ... Add inputs from $SOURCE.
edit edit monitor $SOURCE [-parameter value] ... Edit a previously added input for $SOURCE.
remove remove monitor $SOURCE Remove a previously added $SOURCE.
list list monitor List the currently configured monitor.
spool spool source Copy a file into Splunk via the sinkhole directory.

Change the configuration of each data input type by setting additional parameters. Parameters are set via the syntax: -parameter value.

Note: You can only set one -hostname, -hostregex or -hostsegmentnum per command.

Parameter Required? Description
source Required Path to the file or directory to monitor for new input.
sourcetype Optional Specify a sourcetype field value for events from the input source.
index Optional Specify the destination index for events from the input source.
hostname Optional Specify a host name to set as the host field value for events from the input source.
hostregex Optional Specify a regular expression on the source file path to set as the host field value for events from the input source.
hostsegmentnum Optional Set the number of segments of the source file path to set as the host field value for events from the input source.
follow-only Optional (T/F) True or False. Default False. When set to True, Splunk will read from the end of the source (like the "tail -f" Unix command).

Example 1. monitor files in a directory

The following example shows how to monitor files in /var/log/:

Add /var/log/ as a data input: 

./splunk add monitor /var/log/

Example 2. monitor windowsupdate.log

The following example shows how to monitor the Windows Update log (where Windows logs automatic updates):

Add C:\Windows\windowsupdate.log as a data input: 

./splunk add monitor C:\Windows\windowsupdate.log

Example 3. monitor IIS logging

This example shows how to monitor the default location for Windows IIS logging: Add C:\windows\system32\LogFiles\W3SVC as a data input: 

./splunk add monitor c:\windows\system32\LogFiles\W3SVC
Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Admin/MonitorfilesanddirectoriesusingtheCLI"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.