Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can "watched directories" be recursive?

tedder
Communicator
‎11-04-2010 03:51 PM

I'm watching a directory. Let's say it is /foo. The files are in subdirectories: /foo/archive/2010-11/ /foo/archive/2010-10/ /foo/archive/2010-09/

It doesn't appear Splunk is looking recursively to find those subdirectories. Do I need to add every individual month to Splunk? What are my options?

One thought is I could modify the archive script to put a copy of the file in the spool directory, but that means the index isn't "hard set" like it is on that monitored directory. What else? Perhaps I could have Splunk watch /foo/incoming, I'll copy it there and Splunk could read and delete it from that directory?

I think "..." is what I need for recursion. The inputs.conf doesn't make it clear- would the following monitor work: [monitor:///foo/...]

Or this? [monitor:///foo/.../*]

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎11-04-2010 04:15 PM

There is a setting for recursion in the inputs.conf file:

http://www.splunk.com/base/Documentation/latest/admin/Inputsconf

recursive = true|false
* if false, will not go into subdirectories found within a monitored directory
* defaults to true

This must be applied under your specific inputs stanza for the monitored directory. I suspect you should have a setting as follows:

[monitor:///foo*]

View solution in original post

Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎11-04-2010 04:15 PM

There is a setting for recursion in the inputs.conf file:

http://www.splunk.com/base/Documentation/latest/admin/Inputsconf

recursive = true|false
* if false, will not go into subdirectories found within a monitored directory
* defaults to true

This must be applied under your specific inputs stanza for the monitored directory. I suspect you should have a setting as follows:

[monitor:///foo*]
Reply
Solved! Jump to solution

tedder
Communicator
‎11-04-2010 04:34 PM

shouldn't the setting be closer to one of these?
[monitor:///foo/]
[monitor:///foo/*]

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...