topic Input Monitor order of precedence in Getting Data In

Input Monitor order of precedence

sean193 — Tue, 01 Dec 2020 13:26:11 GMT

Hi,

Will Splunk use a more explicit Monitor stanza vs a wildcard stanza. Since the stanza's are not identical I do not believe Splunk merges and applies lexicographical order so which stanze wins for the monitored file? My assumption is the more explicit stanza but I can't fing documentation to back that up.

Example:
[monitor:///var/log/]
index = linux
vs.
[monitor:///var/log/secure.log]
index = main

Re: Input Monitor order of precedence

richgalloway — Tue, 01 Dec 2020 14:28:53 GMT

Try it, find out, and report back. If the data from secure.log appears in index=main then you know the specific stanza trumps the general one. I suspect that is not the case, however.

Also, splunk list monitor on the monitoring instance may shed some light on what is being monitored.

If the specific stanza ends up duplicating the general one then you should be able to work around it with a blacklist.

[monitor:///var/log/] index = linux blacklist = secure\.log [monitor:///var/log/secure.log] index = main

Re: Input Monitor order of precedence

sean193 — Tue, 01 Dec 2020 15:17:50 GMT

Well after testing the explicit stanza wins, atleast in the case below. Secure when to main, not linux. This makes since to me just wish it was documented as I could see other people having questions like this.

[monitor:///var/log]
index = linux
disabled = 0

[monitor:///var/log/secure]
disabled = false

Re: Input Monitor order of precedence

richgalloway — Tue, 01 Dec 2020 17:49:51 GMT

Thanks for reporting back. Be sure to accept your answer to help future readers find the solution.

Consider submitting feedback on the documentation page. The Docs team is very good about clarifying the pages in response to user feedback.

Re: Input Monitor order of precedence

sean193 — Tue, 01 Dec 2020 17:56:10 GMT

Feedback as submitted to the doc team.