How to add monitor in Splunk?
$ sudo ./splunk [add|edit|remove|list] [monitor|exex|tcp|udp|oneshot]
source - file, directory, scripted input, or socket to manage
How to remove monitor?
$ sudo ./splunk remove monitor /var/log/jenkins
How to set hostname?
$ sudo ./splunk add monitor /var/log/dmesg -hostname rajesh -index newindex
$ sudo ./splunk add monitor /opt/lampp/etc -hostname rajhost -index rajesh
How to upload to new index?
$ sudo ./splunk add monitor /var/log/dmesg -hostname rajesh -index newindex
How to upload a file?
$ sudo ./splunk add oneshot /var/log/applog
$ sudo ./splunk add oneshot C:\Program Files\AppLog\log.txt
$ sudo ./splunk add forward-server <host>:<port> -auth <username>:<password>
Alternatively, if you have many forwarders, you can use an outputs.conf file to specify the receiver. For example:
[tcpout:my_indexers]
server= splunk_indexer.acme.com:9997
This command, <port> is the network port you want the receiver to listen on.
$ sudo ./splunk enable listen <port> -auth <username>:<password>
$ sudo ./splunk enable listen 9997 -auth <username>:<password>
This command below will also show which apps each setting is coming from.
$ sudo ./splunk cmd btool --debug inputs list
Permanently remove event data from an index by typing
$ splunk clean eventdata
$ splunk clean eventdata -index <index_name>
$ splunk stop
$ splunk clean eventdata # To permanently remove data from all indexes
$ splunk stop
$ splunk clean eventdata -index _internal -f # To permanently remove data from _internal
Remove all data from one or all indexes
$ splunk help clean
Remove an index entirely
$ splunk stop
$ splunk remove index main # cannot remove idx=main, is internal
$ splunk remove index <index_name>
Disable an index without removing it
$ splunk disable index <index_name>
Mentor for DevOps - DevSecOps - SRE - Cloud - Container & Micorservices at Software AG
Join my following certification courses...
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
Latest posts by Rajesh Kumar (see all)
- Apache Lucene Query Example - April 8, 2024
- Google Cloud: Step by Step Tutorials for setting up Multi-cluster Ingress (MCI) - April 7, 2024
- What is Multi-cluster Ingress (MCI) - April 7, 2024
