<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: how to configure inputs.conf? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476133#M81728</link>
    <description>&lt;P&gt;yes it run as root.&lt;/P&gt;</description>
    <pubDate>Wed, 15 Apr 2020 05:09:59 GMT</pubDate>
    <dc:creator>khandelwaly</dc:creator>
    <dc:date>2020-04-15T05:09:59Z</dc:date>
    <item>
      <title>how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476119#M81714</link>
      <description>&lt;P&gt;i have logs like this :&lt;/P&gt;

&lt;P&gt;-rw-r----- 1 jira jira    4921534 Apr 13 22:42 catalina.2020-04-13.log&lt;BR /&gt;
-rw-r----- 1 jira jira  463769261 Apr 14 00:00 access_log.2020-04-13&lt;BR /&gt;
-rw-r----- 1 jira jira    2840014 Apr 14 13:08 catalina.2020-04-14.log&lt;BR /&gt;
-rw-r----- 1 jira jira  222675515 Apr 14 13:08 access_log.2020-04-14&lt;/P&gt;

&lt;P&gt;How to configure inputs.conf for the access_log&lt;BR /&gt;
I tried below but it didnot work&lt;/P&gt;

&lt;P&gt;[monitor:////apps/logs/access_log]&lt;BR /&gt;
index = prdidx&lt;BR /&gt;
blacklist = .(gz)$&lt;BR /&gt;
sourcetype = ACCESS&lt;BR /&gt;
_TCP_ROUTING = WEB&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 05:00:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476119#M81714</guid>
      <dc:creator>khandelwaly</dc:creator>
      <dc:date>2020-09-30T05:00:53Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476120#M81715</link>
      <description>&lt;P&gt;What is the full path of the log files shown?&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 20:47:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476120#M81715</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2020-04-14T20:47:48Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476121#M81716</link>
      <description>&lt;PRE&gt;&lt;CODE&gt;# The following configuration reads all the files in the directory /var/log.

[monitor:///var/log]
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;there is too many &lt;CODE&gt;/&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf"&gt;https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 20:50:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476121#M81716</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-04-14T20:50:33Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476122#M81717</link>
      <description>&lt;P&gt;files are under /apps/logs/&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 20:50:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476122#M81717</guid>
      <dc:creator>khandelwaly</dc:creator>
      <dc:date>2020-04-14T20:50:55Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476123#M81718</link>
      <description>&lt;P&gt;I removed the / but still the same thing. I don't want to read all the files in that directory. I want to only read access_log&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 20:52:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476123#M81718</guid>
      <dc:creator>khandelwaly</dc:creator>
      <dc:date>2020-04-14T20:52:21Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476124#M81719</link>
      <description>&lt;P&gt;Tried below but still failing&lt;BR /&gt;
&lt;CODE&gt;[monitor:///apps/logs/]&lt;BR /&gt;
index = prdidx&lt;BR /&gt;
blacklist = \.(gz)$&lt;BR /&gt;
whitelist = access_log\.*$&lt;BR /&gt;
sourcetype =ACCESS&lt;BR /&gt;
_TCP_ROUTING = WEB&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 20:54:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476124#M81719</guid>
      <dc:creator>khandelwaly</dc:creator>
      <dc:date>2020-04-14T20:54:14Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476125#M81720</link>
      <description>&lt;P&gt;&lt;CODE&gt;blacklist = .(gz)$&lt;/CODE&gt;&lt;BR /&gt;
→&lt;BR /&gt;
&lt;CODE&gt;whitelist = \.log$&lt;/CODE&gt;&lt;BR /&gt;
How about this?&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 21:25:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476125#M81720</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-04-14T21:25:32Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476126#M81721</link>
      <description>&lt;P&gt;and check &lt;CODE&gt;sourcetype&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 21:29:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476126#M81721</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-04-14T21:29:39Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476127#M81722</link>
      <description>&lt;P&gt;if splunk runs as not root user then you have to add splunk to jira group, here is an example if splunk(forwarder) runs as a splunk user:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;usermod -a -G jira splunk
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 14 Apr 2020 21:37:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476127#M81722</guid>
      <dc:creator>PavelP</dc:creator>
      <dc:date>2020-04-14T21:37:33Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476128#M81723</link>
      <description>&lt;P&gt;Splunk restart is fine. Only files under the mentioned directory is not shown on Splunk.  Need help to configure the inputs.conf&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 21:44:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476128#M81723</guid>
      <dc:creator>khandelwaly</dc:creator>
      <dc:date>2020-04-14T21:44:58Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476129#M81724</link>
      <description>&lt;P&gt;Files are not ending with .log. Tried _log but did not work&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 21:46:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476129#M81724</guid>
      <dc:creator>khandelwaly</dc:creator>
      <dc:date>2020-04-14T21:46:01Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476130#M81725</link>
      <description>&lt;P&gt;Does splunk run as a root user? &lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 21:58:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476130#M81725</guid>
      <dc:creator>PavelP</dc:creator>
      <dc:date>2020-04-14T21:58:06Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476131#M81726</link>
      <description>&lt;P&gt;what's your &lt;CODE&gt;sourcetype&lt;/CODE&gt; now?&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2020 22:01:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476131#M81726</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-04-14T22:01:48Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476132#M81727</link>
      <description>&lt;P&gt;Try&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///apps/logs/access_log/access_log.*]
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 14 Apr 2020 23:22:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476132#M81727</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2020-04-14T23:22:23Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476133#M81728</link>
      <description>&lt;P&gt;yes it run as root.&lt;/P&gt;</description>
      <pubDate>Wed, 15 Apr 2020 05:09:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476133#M81728</guid>
      <dc:creator>khandelwaly</dc:creator>
      <dc:date>2020-04-15T05:09:59Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476134#M81729</link>
      <description>&lt;P&gt;logs file name is access_log.2020-04-14. No folder with name access_log.&lt;BR /&gt;
Tried without access_log folder as well but it didnot work&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 05:00:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476134#M81729</guid>
      <dc:creator>khandelwaly</dc:creator>
      <dc:date>2020-09-30T05:00:56Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476135#M81730</link>
      <description>&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Troubleshooting/Cantfinddata"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.3/Troubleshooting/Cantfinddata&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 15 Apr 2020 09:44:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476135#M81730</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-04-15T09:44:44Z</dc:date>
    </item>
    <item>
      <title>Re: how to configure inputs.conf?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476136#M81731</link>
      <description>&lt;P&gt;Did you restart the forwarder after changing inputs.conf?&lt;BR /&gt;
Does Splunk have read access to the logs?&lt;BR /&gt;
Do the files appear in the output of the CLI command &lt;CODE&gt;splunk list monitor&lt;/CODE&gt;?&lt;/P&gt;</description>
      <pubDate>Wed, 15 Apr 2020 12:35:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/how-to-configure-inputs-conf/m-p/476136#M81731</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2020-04-15T12:35:19Z</dc:date>
    </item>
  </channel>
</rss>

