Splunk Tutorial
Selected Reading
- Splunk - Discussion
- Splunk - Useful Resources
- Splunk - Quick Guide
- Splunk - Stats Command
- Splunk - Top Command
- Splunk - Sort Command
- Splunk - Monitoring Files
- Splunk - Custom Chart
- Splunk - Removing Data
- Splunk - Apps
- Splunk - Tags
- Splunk - Calculated Fields
- Splunk - Managing Indexes
- Splunk - Sparklines
- Splunk - Overlay chart
- Splunk - Basic Chart
- Splunk - Event Types
- Splunk - Search Macros
- Splunk - Subseraching
- Splunk - Knowledge Management
- Splunk - Schedules and Alerts
- Splunk - Lookups
- Splunk - Pivot & Datasets
- Splunk - Dashboards
- Splunk - Reports
- Splunk - Transforming commands
- Splunk - Search Optimization
- Splunk - Search Language
- Splunk - Sharing and Exporting
- Splunk - Time Range Search
- Splunk - Field Searching
- Splunk - Basic Searching
- Splunk - Source Types
- Splunk - Data Ingestion
- Splunk - Interfaces
- Splunk - Environment
- Splunk - Overview
- Splunk - Home
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Splunk - Monitoring Files
Splunk - Monitor Files
Splunk Enterprise monitors and indexes the file or directory as new data appears. You can also specify a mounted or shared directory, including network file systems, as long as Splunk Enterprise can read from the directory. If the specified directory contains subdirectories, the monitor process recursively examines them for new files, as long as the directories can be read.
You can include or exclude files or directories from being read by using whitepsts and blackpsts.
If you disable or delete a monitor input, Splunk Enterprise does not stop indexing the files: input references. It only stops checking those files again.
You specify the path to a file or directory and the monitor processor consumes any new data written to that file or directory. This is how you can monitor pve apppcation logs such as those coming from Web access logs, Java 2 Platform or .NET apppcations, and so on.
Add files to Monitor
Using Splunk web interface, we can add files or directories to be monitored. We go to Splunk Home → Add Data → Monitor as shown in the below image −
On cpcking Monitor, it brings up the pst of types of files and directory you can use to monitor the files. Next, we choose the file we want to monitor.
Next, we choose the default values as Splunk is able to parse the file and configure the options for monitoring automatically.
After the final step, we see the below result which captures the events from the file to be monitored.
If any of the value in the event changes, then the above result gets updated to show the latest result.
Advertisements