I had a folder full of log files I wanted to index real quick in my local instance of Splunk. They won’t persist, so the right thing to do is to use the “oneshot” command (documented here). This can be done in the web UI, but I like doing stuff at the command line. I opened up PowerShell (elevated, as my Splunk instance runs as system) and tried this:
splunk add oneshot *.log
And this was the output:
In handler 'oneshotinput': unable to open file: path='C:\Users\Hal\temp\*.log' error='The filename, directory name, or volume label syntax is incorrect.'
It didn’t work! Ok, so my assumption was that Splunk would parse the wildcard and have at it. But no big deal, this is quick to solve with a PowerShell one-liner:
ls | % { splunk add oneshot $_ }
Or, properly expanded out to not use the built-in aliases:
Get-ChildItem | ForEach-Object { splunk add oneshot $_ }
Hope this helps!