Articles

Splunk Monitor Inputs: File, Directory, and Network (2026)

April 6, 2026 4 min read

Splunk’s file, directory, and network monitoring inputs don’t actually read files or listen on ports themselves; they tell the Splunk forwarder where to look and how to interpret what it finds.

Let’s see it in action. Imagine you have a web server generating access logs in /var/log/apache2/access.log on a Linux machine.

# On the target machine (e.g., a web server)
# This command simulates a new log entry
echo '192.168.1.100 - - [10/Oct/2023:10:30:00 +0000] "GET /index.html HTTP/1.1" 200 1234' >> /var/log/apache2/access.log

# On the Splunk indexer, you'd see this data arrive almost immediately.
# You can search for it using:
# index=web sourcetype=apache_access

The magic happens in the Splunk forwarder’s configuration files, typically located in $SPLUNK_HOME/etc/system/local/inputs.conf or within an app’s local directory.

Here’s a sample inputs.conf snippet for monitoring that Apache access log:

[monitor:///var/log/apache2/access.log]
disabled = false
index = web
sourcetype = apache_access
whitelist = \.log$
crcSalt = <SOURCE>
sourcetype = apache_access

Let’s break down what’s happening:

  • [monitor:///var/log/apache2/access.log]: This is the stanza that defines the input. monitor tells Splunk to watch this path. The path itself is the target.
  • disabled = false: Ensures this input is active.
  • index = web: This is where the data will be stored on the Splunk indexer. It’s a logical separation of data.
  • sourcetype = apache_access: This is crucial. It tells Splunk how to parse and format the incoming data. Splunk uses sourcetype to apply specific configurations for field extraction, timestamp recognition, and event breaking. Without it, raw data is just… raw.
  • whitelist = \.log$: This is a regular expression that filters which files within a directory monitor input are actually read. For a single file input like this, it’s less critical but good practice to ensure only .log files are considered if this were a directory monitor.
  • crcSalt = <SOURCE>: This is a performance optimization. Splunk calculates a CRC (Cyclic Redundancy Check) for each file it monitors. If the CRC changes, it knows the file has been modified and needs to be re-read. <SOURCE> tells Splunk to include the source path in the CRC calculation, preventing potential conflicts if multiple files happen to have identical content but different paths.

Directory Monitoring

For directories, the inputs.conf looks similar but targets a directory:

[monitor:///var/log/myapp/logs/]
disabled = false
index = myapp
sourcetype = myapp_log
initiallyOffline = true
  • [monitor:///var/log/myapp/logs/]: Monitors all files within the /var/log/myapp/logs/ directory.
  • initiallyOffline = true: This is important for directory monitors. When a forwarder starts up and sees a directory monitor for the first time, initiallyOffline = true tells it not to read existing files in that directory. It will only start monitoring new files created after the forwarder starts. If you omit this or set it to false, Splunk might try to ingest gigabytes of historical data upon initial setup, which is rarely desired.

Network Monitoring (TCP/UDP)

Splunk can also listen on network ports. This is often used for syslog or custom application protocols.

[tcp://9997]
disabled = false
index = network
sourcetype = syslog

[udp://514]
disabled = false
index = network
sourcetype = syslog
  • [tcp://9997]: Tells Splunk to listen for incoming TCP connections on port 9997.
  • [udp://514]: Tells Splunk to listen for incoming UDP datagrams on port 514.

For network inputs, the sourcetype is critical for parsing the incoming data stream. A common pattern is to use sourcetype = syslog for data coming from standard syslog daemons.

The Mental Model

Think of inputs.conf as the Splunk forwarder’s "to-do list" for data ingestion. Each stanza is an item on that list. The monitor and network input types (tcp://, udp://) are the actions to perform. The path or port is the target. Everything else (index, sourcetype, whitelist, disabled, initiallyOffline) is the instruction set for how to perform that action. Splunk doesn’t invent data; it’s configured to collect and categorize existing data sources.

The Counterintuitive Bit

Splunk’s file monitoring is incredibly efficient because it doesn’t just re-read files from the beginning every time. It keeps track of exactly how far it has read into each file using a metadata file (often called splunkd.log or similar, depending on configuration and version, but the forwarder manages this internally). When a file is updated, the forwarder resumes reading from where it left off, only ingesting the new data. This is why you can monitor massive, constantly growing log files without Splunk falling behind or re-processing old data.

The next step is understanding how Splunk processes this data after ingestion, particularly with props.conf for advanced parsing and field extraction.

More Deep Dives in Splunk

Want structured learning?

Take the full Splunk course →