How to import only additional data - Security business -Macnica

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

Specifications/Technical Information

Specifications/Technical Information
- Splunk Enterprise features
- Splunk Technology Blog

solution

solution

User stories

support

Seminar content

Evaluation machine application/FAQ

Application for evaluation machine
- Splunk Evaluation Download
FAQ

Document request

inquiry

Event/Seminar

video on demand

How to import only additional data

release date: 2016-09-21

last updated: 2016-09-21

version: Splunk Enterprise 6.4.3

Overview: How to import only additional data

Reference information

http://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Inputsconf

content

About data acquisition

Splunk will import all the data in the folders/files to be imported when data import settings are made. If the data to be imported is huge, it may take time to import the data or you may run out of licenses.

By making the following settings, it is possible to import data into Splunk from the data imported after the import settings have been made.

Setting method

Open <SPLUNK_HOME>/etc/system/local/inputs.conf in a text editor.

Add the following settings

[monitor://<取り込みたいファイルのパス>]
followTail = 1

Example: When importing data under the /var/log folder using the above settings

[monitor:///var/log]
followTail = 1

restart splunk

that's all

to previous page

In charge of Macnica Splunk Co., Ltd.

inquiry Document request

TEL：045-476-2010
E-mail：splunk-sales@macnica.co.jp

Mon-Fri 8:45-17:30