https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164977#M98129 <P>we don't know exactly the name fo logs. The logs generate every day.</P> Thu, 25 Dec 2014 04:14:41 GMT xiyangyang 2014-12-25T04:14:41Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164975#M98127 <P>we need take the logs generated from 00:00 ~8:00 under one folder (for example: folder /a/).<BR /> Under /a/, there are several log files. For example: a.log, b.log.<BR /> a.log is generated from 00:00~8:00, but b.log is not.<BR /> We set input.conf as follow and start the log acquasition from 0:00 and stop it at 8:00 everyday:<BR /> 　　　　　　[monitor:///a/*]<BR /> 　　　　　　disabled = false<BR /> 　　　　　　sourcetype = xxxxx<BR /> 　　　　　　index = ssss<BR /> 　　　　　　followTail = 1<BR /> 　　　　　　ignoreOlderThan = 1d<BR /> Under this settings, we got both a.log and b.log. however, b.log is not the target, </P> <P>How can we get the log which generated in the correct period only?<BR /> We cannot use white list or black list, because there are a lot of logs.</P> Thu, 25 Dec 2014 03:01:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164975#M98127 xiyangyang 2014-12-25T03:01:39Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164976#M98128 <P>If you know which logs these are, you can create an input for the specific files. That is probably the best way to accomplish this..</P> <HR /> <PRE><CODE>[monitor:///a/a.log] sourcetype = alog index = ssss followTail = 1 ignoreOlderThan = 1d [monitor:///a/b.log] sourcetype = blog index = ssss followTail = 1 ignoreOlderThan = 1d [monitor:///a/c.log] sourcetype = clog index = ssss followTail = 1 ignoreOlderThan = 1d </CODE></PRE> <P>You can also leave in the monitor glob for the whole directory, after these specific inputs...</P> Thu, 25 Dec 2014 03:27:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164976#M98128 esix_splunk 2014-12-25T03:27:54Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164977#M98129 <P>we don't know exactly the name fo logs. The logs generate every day.</P> Thu, 25 Dec 2014 04:14:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164977#M98129 xiyangyang 2014-12-25T04:14:41Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164978#M98130 <P>If the names of the logs are truly random, and cant apply a whitelist / blacklist, then you really cant do much except the monitor the whole directory.</P> <P>Whitelisting the filenames would be the best method to approach this.</P> <P>If you are not looking at realtime monitoring of these files, then you might be better to work on a scripted solution that will move only the desired logs to a separate folder and have splunk monitor that directory.. That does require some scripting outside of Splunk though...</P> <P>Is this a custom app?</P> Thu, 25 Dec 2014 04:59:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-get-the-logs-generated-only-in-an-indicated-period/m-p/164978#M98130 esix_splunk 2014-12-25T04:59:13Z