https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139389#M28667 <P>I assume the poster downvoted me because I didn't provide a ready to use answer, so now there is one. Please upvote it and accept as working if you test this and it works.</P> <P>Thanks.</P> Tue, 12 Nov 2013 22:04:33 GMT jtrucks 2013-11-12T22:04:33Z https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139387#M28665 <P>Does anyone know of a tool that will 'expand' the monitor stanza from inputs.conf on a universalforwarder to show an example of logs to be watched?</P> <P>I.e., I have a monitor stanza:</P> <P>[monitor:///path/to/some/*/dir]<BR /> whitelist = /file_name(s).log$</P> <P>And before I restart splunk and do the 'hope it works' I was wondering if there was a tool that would, using Splunk's logic, show me all the files the above would 'see' for monitoring.</P> <P>I have multiple 'client' directories (being replaced above by the *) where some have specific logs and some do not. I would rather write one monitor for each type of log verses writing a new monitor stanza per client dir/log type. </P> <P>And I need to test it before pulling the trigger and not impact other, already configured, data-gathering.</P> Tue, 12 Nov 2013 21:15:48 GMT https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139387#M28665 tyronetv 2013-11-12T21:15:48Z https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139388#M28666 <P>A fairly simplistic approach is just to use ls:</P> <PRE><CODE>ls -d /path/to/some/*/dir ls -d /path/to/some/*/dir/file_name*.log </CODE></PRE> <P>The results is how the system will glob the filenames and create paths.</P> <P>Also, you could quickly write something in perl, python, C, or any other language with a similar function. Then you could have that program pull any line with "[monitor…]" to parse the paths and glob them for you.</P> <P>For a working way to do this really quick and dirty, do this:</P> <PRE><CODE>ls -d $( awk '/monitor/' inputs.conf| sed -e 's|\[monitor://||' -e 's|\]$||') </CODE></PRE> <P>Obviously adjust where you run this or specify full path to inputs.conf.</P> Tue, 12 Nov 2013 21:38:26 GMT https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139388#M28666 jtrucks 2013-11-12T21:38:26Z https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139389#M28667 <P>I assume the poster downvoted me because I didn't provide a ready to use answer, so now there is one. Please upvote it and accept as working if you test this and it works.</P> <P>Thanks.</P> Tue, 12 Nov 2013 22:04:33 GMT https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139389#M28667 jtrucks 2013-11-12T22:04:33Z https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139390#M28668 <P>The awk statement is fine and almost a mirror of what I've already done. I am looking for something that essentially mimics the expansion of the entire monitor stanza to include file names identified by the white/black lists as well as the monitor line.</P> Tue, 12 Nov 2013 22:38:44 GMT https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139390#M28668 tyronetv 2013-11-12T22:38:44Z https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139391#M28669 <P>There isn't a premade tool that does that to date that anyone has published. It might make a good feature request to Splunk.</P> Tue, 12 Nov 2013 22:42:26 GMT https://community.splunk.com/t5/Getting-Data-In/Expand-inputs-conf-with-wildcards/m-p/139391#M28669 jtrucks 2013-11-12T22:42:26Z