Getting Data In

Why does "add monitor" via CLI not create new sourcetype in Splunk Light?

GirolamoBo
Explorer

I have this file in location:

/Users/myuser/path/firewall3.log

Thu Mar 6 11:33:49 EST 2014 src_ip=1.1.1.1
Thu Mar 6 11:33:45 EST 2014 sourceip=8.1.2.3
Thu Mar 6 11:33:48 EST 2014 source_ip=1.1.1.0
Thu Mar 6 11:33:47 EST 2014 sip=1.1.1.199
Thu Mar 6 11:33:46 EST 2014 ip=
Thu Mar 6 11:33:46 EST 2014 ip=22.22.22.22
Thu Mar 7 10:00:00 EST 2014 ip=22.22.22.22
Thu Mar 8 10:30:00 EST 2014 ip=22.22.22.22
Thu Mar 9 10:30:00 EST 2014 ip=22.22.22.22

I add a new index:

./splunk add index -name newindex3

Next I add monitor:

./splunk add monitor "/Users/myuser/path/firewall3.log" -index newindex3 -sourcetype firewall3

No errors, but a new sourcetype is not created in Splunk.

I tried the same command with sourcetype parameter but a new source type is still not created

./splunk add monitor "/Users/myuser/path/firewall3.log" -index newindex3 -sourcetype firewall3 -sourcetype firewall3

What is the correct command to monitor a local file? I looked at this articlef:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Data/MonitorfilesanddirectoriesusingtheCLI#Example...
but I don't see what I am missing to make sure a new sourcetype is created. When I use oneshot, a new sourcetype is created, but I would like to add entries to the local file file and see the new events in Splunk.

esix_splunk
Splunk Employee
Splunk Employee

Is your path correct for the firewall3.log, meaning can you see this in splunk? Check permissions also, the Splunk user needs to be able to read the file.

If you dont get results for the firewall3 sourcetype, most likely youre not indexing the file correctly. You syntax is correct for the add monitor and adding the sourcetype.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/MonitorfilesanddirectoriesusingtheCLI

0 Karma

GirolamoBo
Explorer

Thank you.
I believe my path is correct. If I intentionally make it wrong I get an error: "Parameter name: Path does not exist."
I cannot see the new sourcetype in Splunk, or firewall3.log in Sources. The same file with a different name inside a peer folder loads fine in source and as sourcetype if I use oneshot command to add the file. This cannot be a permission error.
Please let me know what do you mean that I am not indexing the file correctly? Before I use add monitor command I use: ./splunk add index -name newindex3
Does it look wrong to you?
A link to the documentation you sent is the one I mentioned in my post - I have seen it, but I am afraid I am missing something. The trouble is I don't get any errors in the terminal when I add index and when I add monitor, but a new sourcetype is not created, and Splunk does not see the file in Sources. Thank you.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...