I have to search for a string in the log file so I am not very sure what should i add in search-command?

For eg I have to search exception in abc.2011.3.3.log file which is included in sername/common/abc/abc.2011.3.3.log

Nw in Manager » Data inputs » Files & Directories>>new... I gave path name as \sername\common\abc Is this fine? And also in Manager » Searches and reports >>new i gave "exception " source="\\sername\domains\common\abc" also i gave clicked on checkbox of Schedule this search and set up alert conditions and include results in email and specified email ids.However I did not get any email and I am not sure whether I set up correct alert or not.

Please help me

The best to do it - go back to the search app. There, type your search-command. On the upper right hand is a symbol "save search" -> (your command will automatically included). Set the time range, tick the "Schedule this search" and set when it sould run, further type in your email etc. (make sure your server where splunks runs on has sendmail configured)

Finally, you save it - and it will be found through Manager » Searches and reports

ps: Next time, please close the thread and open a new one. We're swapping from "appending files" over to "saved searches & reports" - just to keep the topics tidy!

Also in Manager » Searches and reports >> new i need to add the path of my log file wherein i have entered as //servername/test In test I have abc.28.2.2011.log which I want to monitor

And then in Manager » Data inputs » Files & Directories>> new in which I added servername/test and then in whitelist i added abc*log

Now Splunk will send me an email after monitoring log files daily inside test directory?

actually my logfiles are in same directory. Also, in Manager<

Is there any provision for including logfile which is appended to systemdate.log ?

No you don't!

If your logfiles are all in the same directory, monitor the whole directory (e.g):

On the UI: Manager » Data inputs » Files & Directories » Add New

• Full path on server : < your_path_to_your_files > (e.g /var/foo/bar/log)

That's it, but if you have other files in that directory you wont monitor do following on the UI

• Full path on server : < your_path_to_your_files > (e.g /var/foo/bar/log)
• Whitelist : abc*log

The Whitelisting option uses all abc*log files now, but not dbc*log, or whatever

Not sure what you're after here.

Splunk doesn't itself create any log files from external data, the only log files it creates are those related to Splunk's own operation.

If what you mean is that you have a directory, say, /var/log/mylogs, consisting of log files that are rotated so that a new log file is created with a date appended to its name, you just have to tell Splunk to index the whole directory /var/log/mylogs instead of each invididual file in that directory.