Another common method of adding the file and directory inputs is to manually add them to the inputs.conf configuration file directly. This approach is often used for large environments or when configuring Splunk forwarders to monitor for files or directories on endpoints.
Edit $SPLUNK_HOME/etc/system/local/inputs.conf and add your input. After your inputs are added, Splunk will need to be restarted to recognize these changes.
For Unix, we will use the following code:
[monitor:///var/log/messages] sourcetype = linux_messages
For Windows, we will use the following code:
[monitor://c:/filelocation/cp01_messages.log] sourcetype = linux_messages