- Splunk Operational Intelligence Cookbook
- Josh Diakun Paul R Johnson Derek Mock
- 157字
- 2025-04-04 16:53:01
Adding a file or directory input using inputs.conf
Another common method of adding the file and directory inputs is to manually add them to the inputs.conf configuration file directly. This approach is often used for large environments or when configuring Splunk forwarders to monitor for files or directories on endpoints.
Edit $SPLUNK_HOME/etc/system/local/inputs.conf and add your input. After your inputs are added, Splunk will need to be restarted to recognize these changes.
For Unix, we will use the following code:
[monitor:///var/log/messages] sourcetype = linux_messages
For Windows, we will use the following code:
[monitor://c:/filelocation/cp01_messages.log] sourcetype = linux_messages
Editing inputs.conf directly is often a much faster way of adding new files or directories to monitor when several inputs are needed. When editing inputs.conf, ensure that the correct syntax is used and remember that Splunk will need a restart for modifications to take effect. Additionally, specifying the source type in the inputs.conf file is the best methods for assigning source types.