zulootalks.blogg.se - Splunk add a file monitor input to an index

#Splunk add a file monitor input to an index install

Specifies a comma-separated list of tcpout group names. Set to indexQueue to send your data directly into the index. Set to parsingQueue to apply the nf file and other parsing rules to your data. Specifies where the input processor deposits the events that it reads. The Splunk platform picks a source type based on various aspects of the data. The Splunk platform prepends the with sourcetype.įor more information about source types, see Why source types matter. The Splunk platform uses the key during parsing and indexing to set the source type field and uses the source type field during searching. Declaring the sourcetype is important both for searchability and for applying the relevant formatting for this type of data during parsing and indexing. This setting explicitly declares the source type for this data, as opposed to letting the Splunk platform determine it automatically. Sets the sourcetype key or field for events from this input. The main index or whatever you set the default index to. The Splunk platform prepends the with index.įor more information about the index field, see How indexing works in the Splunk Enterprise Managing Indexers and Clusters manual. Sets the index where events from this input are stored.

The IP address or fully qualified domain name of the host where the data originated. The Splunk platform prepends the with host. The input processor uses the key during parsing and indexing to set the host field and uses the field during searching. Sets the host key to a static initial value for this stanza. You can use the following settings in both monitor and batch input stanzas. splunk _internal call /services/data/inputs/monitor/_reload -auth Add a stanza that references the files or directories that you want to monitor.įor example, to monitor the /var/log/messages file on a *nix system, use this specification:.

Open nf for editing with a text editor.If the nf file doesn't exist, create the file.Change the listed directory to the $SPLUNK_HOME/etc/system/local directory.On the machine that runs Splunk software, open a shell or command prompt.

#Splunk add a file monitor input to an index install

Install the Splunk Cloud Platform universal forward credentials package onto the machine.Ĭonfigure file monitoring with nf.

Install a universal forwarder on the machine that you want to collect the AD data.

If you want to send Active Directory (AD) data to Splunk Cloud Platform, you must install and configure a forwarder before you begin making edits to configuration files on the forwarder. You can find the defaults for settings in the $SPLUNK_HOME/etc/system/default/nf directory.įor more information about configuration files, see About configuration files in the Splunk Enterprise Admin Manual.Ĭonfigure a forwarder to send data to Splunk Cloud Platform If you don't specify a value for a setting, the Splunk platform uses the default for that setting. You can configure multiple settings in an input stanza. To learn more about the nf file, see nf in the Splunk Enterprise Admin Manual.

These locations are on the machine that runs Splunk Enterprise or the forwarder. To configure an input, add a stanza to the nf file in the $SPLUNK_HOME/etc/system/local/ directory or your own custom application directory in $SPLUNK_HOME/etc/apps/. If you use Splunk Cloud Platform, you can use either Splunk Web or a forwarder to configure file monitoring inputs. The nf file provides the most configuration options for setting up a file monitor input. You can use the nf file to monitor files and directories with the Splunk platform.