https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383296#M1193 <P>Hi Rich,</P> <P>Thanks for your quick response, that really helped and it worked.</P> Tue, 01 Jan 2019 09:08:09 GMT w_raza 2019-01-01T09:08:09Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383292#M1189 <P>Hi,</P> <P>I've deployed <STRONG>splunklight-7.2.1</STRONG> and I am using universal log forwarder to forward logs from a Linux server to my Splunk server.</P> <P>I'm stuck in condition where I have to get logs from a particular file which gets created a new file daily to store the logs. For example, today's logs will be stored in <STRONG>../acess_log.2018-12-31</STRONG> and tomorrow's logs will be stored as <STRONG>../access_log.2019-01-01</STRONG> and so on. Can any one please guide my what should I configure in my inputs.conf file to get these logs?</P> <P>Thanks in advance</P> Mon, 31 Dec 2018 14:41:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383292#M1189 w_raza 2018-12-31T14:41:50Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383293#M1190 <P>It depends on what else you don't want to monitor is in the same directory, but start with <CODE>[monitor://../access_log.*]</CODE>.</P> Mon, 31 Dec 2018 14:45:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383293#M1190 richgalloway 2018-12-31T14:45:24Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383294#M1191 <P>That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking <CODE>bin/splunk list monitor</CODE> just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)</P> <P>You're always better off with an explicit path as the start (ie, <CODE>[monitor:///var/log/access_log.*]</CODE>), or if it's truly a wildcard recursive search, then it would be <CODE>[monitor:///var/log/.../access_log.*]</CODE>. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.</P> Mon, 31 Dec 2018 15:03:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383294#M1191 vliggio 2018-12-31T15:03:13Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383295#M1192 <P>Valid points. My answer was based on the OP's info, but explicit file paths are best.</P> Mon, 31 Dec 2018 15:19:59 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383295#M1192 richgalloway 2018-12-31T15:19:59Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383296#M1193 <P>Hi Rich,</P> <P>Thanks for your quick response, that really helped and it worked.</P> Tue, 01 Jan 2019 09:08:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383296#M1193 w_raza 2019-01-01T09:08:09Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383297#M1194 <P>Hi vliggio,</P> <P>Thanks for your response and explaining in detail, that helped.</P> Tue, 01 Jan 2019 09:09:20 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-you-collect-Linux-logs-from-files-such-as-access-log-YY/m-p/383297#M1194 w_raza 2019-01-01T09:09:20Z