File and directory monitoring
As the name implies, this input type monitors the data files and the directories they’re stored in. This is the most effective way to bring in data and is recommended by Splunk as one of the best approaches to handling files. The monitoring settings are configured in the inputs.conf file. To enable this input, a UF agent is required on the source machine, and the same settings also work on Heavy Forwarders (HFs) and Splunk Enterprise. Let’s look at the notable features of this input type:
- Works for all text-based files including structured formats (XML, CSV, JSON, etc.) and
.gzip-compressed files. - Keeps track of the files being monitored via checkpoints maintained in a
fishbucketdirectory, under$SPLUNK_HOME/var/lib/splunk/. - Resumes the file and directory monitoring from the last location in the event of forwarder restarts.
- Recursively discovers all the files in a directory, including any new files created.
- Uncompresses...
