I have this file in location:
/Users/myuser/path/firewall3.log
Thu Mar 6 11:33:49 EST 2014 src_ip=1.1.1.1
Thu Mar 6 11:33:45 EST 2014 sourceip=8.1.2.3
Thu Mar 6 11:33:48 EST 2014 source_ip=1.1.1.0
Thu Mar 6 11:33:47 EST 2014 sip=1.1.1.199
Thu Mar 6 11:33:46 EST 2014 ip=
Thu Mar 6 11:33:46 EST 2014 ip=22.22.22.22
Thu Mar 7 10:00:00 EST 2014 ip=22.22.22.22
Thu Mar 8 10:30:00 EST 2014 ip=22.22.22.22
Thu Mar 9 10:30:00 EST 2014 ip=22.22.22.22
I add a new index:
./splunk add index -name newindex3
Next I add monitor:
./splunk add monitor "/Users/myuser/path/firewall3.log" -index newindex3 -sourcetype firewall3
No errors, but a new sourcetype is not created in Splunk.
I tried the same command with sourcetype parameter but a new source type is still not created
./splunk add monitor "/Users/myuser/path/firewall3.log" -index newindex3 -sourcetype firewall3 -sourcetype firewall3
What is the correct command to monitor a local file? I looked at this articlef:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Data/MonitorfilesanddirectoriesusingtheCLI#Example...
but I don't see what I am missing to make sure a new sourcetype is created. When I use oneshot, a new sourcetype is created, but I would like to add entries to the local file file and see the new events in Splunk.
Is your path correct for the firewall3.log, meaning can you see this in splunk? Check permissions also, the Splunk user needs to be able to read the file.
If you dont get results for the firewall3 sourcetype, most likely youre not indexing the file correctly. You syntax is correct for the add monitor and adding the sourcetype.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/MonitorfilesanddirectoriesusingtheCLI
Thank you.
I believe my path is correct. If I intentionally make it wrong I get an error: "Parameter name: Path does not exist."
I cannot see the new sourcetype in Splunk, or firewall3.log in Sources. The same file with a different name inside a peer folder loads fine in source and as sourcetype if I use oneshot command to add the file. This cannot be a permission error.
Please let me know what do you mean that I am not indexing the file correctly? Before I use add monitor command I use: ./splunk add index -name newindex3
Does it look wrong to you?
A link to the documentation you sent is the one I mentioned in my post - I have seen it, but I am afraid I am missing something. The trouble is I don't get any errors in the terminal when I add index and when I add monitor, but a new sourcetype is not created, and Splunk does not see the file in Sources. Thank you.