topic Re: monitor particular log in universal forwarder in Deployment Architecture

monitor particular log in universal forwarder

puneethgowda — Tue, 24 Jan 2017 12:30:10 GMT

Hi all,

How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields.

and also logs are forwarding to main index how do we forward that into new index and how to set source type for each log as each logs having different fields.

Regards,

Puneeth

Re: monitor particular log in universal forwarder

inventsekar — Tue, 24 Jan 2017 13:07:28 GMT

How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields ///
Can you please update us more info...
- is that log which you want to monitor is changing? (rolling log files?)
- if the file name is not changing, as per the screenshot, you can update the inputs.conf with full logfile name.
[monitor://D:\HotelHub\Log4NetLogs\UserSessionsInfo20170124-09.txt]

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf
as you can see on this inputs.conf file format, you can include index and sourcetype directly -
index =
sourcetype =

Re: monitor particular log in universal forwarder

gcusello — Tue, 24 Jan 2017 13:12:10 GMT

hi puneethgowda,
you can follow different ways, but the easyer is to create a dedicated room in your inputs.conf:

[monitor://D:\HotelHub\Log4NetLogs\109\PH\UserSessionsInfo*.txt]
index=your_index
sourcetype=your_sourcetype

If you cannot do this you have to override index at indextime:
transforms.conf

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = your_regex
 FORMAT = my_new_index

props.conf

 [mysourcetype]
 TRANSFORMS-index = overrideindex

Bye.
Giuseppe

Re: monitor particular log in universal forwarder

puneethgowda — Tue, 24 Jan 2017 15:00:38 GMT

No we can't give full path till extension as file name will keep changing every hour and also same file we need to monitor from other folder

Re: monitor particular log in universal forwarder

puneethgowda — Tue, 24 Jan 2017 15:02:05 GMT

We are trying regex let's see

Re: monitor particular log in universal forwarder

woodcock — Tue, 24 Jan 2017 15:57:53 GMT

Split your stanzas like this:

[monitor://D:\HotelHub\Log4NetLogs\file1]
File1 settings here

[monitor://D:\HotelHub\Log4NetLogs\file2]
File2 settings here

[monitor://D:\HotelHub\Log4NetLogs\file3]
File3 settings here

Re: monitor particular log in universal forwarder

puneethgowda — Wed, 25 Jan 2017 06:12:01 GMT

We cannot give full path because file name will keep changing

Re: monitor particular log in universal forwarder

gcusello — Wed, 25 Jan 2017 06:28:13 GMT

If your path can change, you can use jolly character "*" or three dots "...".
Bye.
Giuseppe

Re: monitor particular log in universal forwarder

puneethgowda — Thu, 26 Jan 2017 18:47:51 GMT

We are able to create new sourcetype and new index name and still working on monitoring one particular log which will be inside so many subfolders could any one help us on this.

[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs\109\PH\AppServerDbconnectInfo*.txt]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA

//D:\HotelHub\Log4NetLogs\109 after fodername 109 there will be many subfolder we need to forward data from all the folders how to pass variable in the place of \109\PH\

We tried //D:\HotelHub\Log4NetLogs*\AppServerDbconnectInfo*.txt

but not working and also we tried

whitelist = query.log$
here we are giving till Log4NetLogs no giving 109\PH because we need to read after Log4netlogs all the files which start with appserverdbconnect
[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
whitelist = AppServerDbconnectInfo.txt$

Re: monitor particular log in universal forwarder

puneethgowda — Tue, 29 Sep 2020 12:33:40 GMT

We are able to create new sourcetype and new index name and still working on monitoring one particular log which will be inside so many subfolders could any one help us on this.

[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs\109\PH\AppServerDbconnectInfo*.txt]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA

//D:\HotelHub\Log4NetLogs\109 after fodername 109 there will be many subfolder we need to forward data from all the folders how to pass variable in the place of \109\PH\

We tried //D:\HotelHub\Log4NetLogs*\AppServerDbconnectInfo*.txt

but not working and also we tried

whitelist = query.log$
here we are giving till Log4NetLogs no giving 109\PH because we need to read after Log4netlogs all the files which start with appserverdbconnect
[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
whitelist = AppServerDbconnectInfo.txt$

Re: monitor particular log in universal forwarder

puneethgowda — Mon, 06 Feb 2017 17:03:10 GMT

Thank you all