How to import only additional data - Security business -Macnica

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

Specifications/Technical Information

Specifications/Technical Information

solution

solution

User stories

support

Seminar content

Evaluation machine application/FAQ

Application for evaluation machine
- Splunk Evaluation Download
FAQ

Document request

inquiry

Event/Seminar

video on demand

How to import only additional data

release date: 2016-09-21

last updated: 2024-01-11

version: Splunk Enterprise 9.0.4

Overview: If you want to only import additional data to prevent data volume from increasing, you can add followTail=1 to the [Monitor] stanza of inputs.conf to import only data that was imported after the setting was made.

Reference information

https://docs.splunk.com/Documentation/Splunk/9.0.4/admin/Inputsconf

content

About data acquisition

Splunk will import all the data in the folders/files to be imported when data import settings are made. If the data to be imported is huge, it may take time to import the data or you may run out of licenses.

By making the following settings, it is possible to import data into Splunk from the data imported after the import settings have been made.

Setting method

Open <SPLUNK_HOME>/etc/system/local/inputs.conf in a text editor.

Add the following settings

[monitor://<取り込みたいファイルのパス>]
followTail = 1

Example: When importing data under the /var/log folder using the above settings

[monitor:///var/log]
followTail = 1

restart splunk

that's all

to previous page

In charge of Macnica Splunk Co., Ltd.

inquiry Document request

TEL：045-476-2010
E-mail：splunk-sales@macnica.co.jp

Weekdays: 9:00-17:00

Site Search