Today I had to index an entire directory full of IIS logs into Splunk, I didn’t want to create a input on the forwarder so had to look for another solution. Fortunately Splunk has a command called “oneshot” that will do just that. The command is a oneoff method to send all your logs off to your indexer.
I couldn’t figure out how to run it against a directory full of logs, so I had to create a for loop and wrap the command in it.
for i in `ls -1`; \ do /opt/splunkforwarder/bin/splunk add oneshot $i -index iis -sourcetype "iis"; \ done
Here we are doing a for loop in a directory full of logs and then sending them off using the oneshot command to the index “iis” with the sourcetype of “iis”. If you were running against a single file eliminate the for loop.
You’ll have to specify the admin password, I was on a forwarder so I just used “admin” and “changeme” which are the defaults.
comments powered by Disqus