https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58108#M14193 <P>I have a logging share right on the splunk server where a number of webservers write a few logs to. The structure more or less would look like:</P> <P>(There are a number of "web" servers such as web-02, -03 ..etc)</P> <PRE><CODE>/opt/var/log/httpd/web-01.domain.com/access.log /opt/var/log/httpd/web-01.domain.com/access.log.1.gz /opt/var/log/httpd/web-01.domain.com/access.log.2.gz /opt/var/log/httpd/web-01.domain.com/tmp.dmp </CODE></PRE> <P>(There are a number of "app" servers such as app-02 , -03, ..etc)</P> <PRE><CODE>/opt/var/log/httpd/app-01.domain.com/access.log /opt/var/log/httpd/app-01.domain.com/access.log.1.gz /opt/var/log/httpd/app-01.domain.com/access.log.2.gz /opt/var/log/httpd/app-01.domain.com/tmp.dmp </CODE></PRE> <P>Note: the logs in each directory that I want to index are access.log , error.log, rewrite.log ..etc . Basically anything that is a current *.log file.</P> <P>What I want to do is only index the "web" servers and only the uncompressed *.log files. It should ignore the app server directories.</P> <P>I setup an input with the following:</P> <P>Host - regex on path Hostname (regex): /opt/var/log/httpd/([^/]+)/</P> <P>Advanced Options Whitelist: I've tried the following: (all variations of that without escaping /)</P> <PRE><CODE>\/web-\d+\.domain\.com\/\w+\.log$ web-*\/*.log$ web-\d+\.*\/\w+\.log$ web-*\.log$ </CODE></PRE> <P>When I save the input and after a minute or so, the "Number of files" on the Input summary page shows 180 when it should only be indexing 24 files.</P> <P>Is that number on the Input summary page accurate? Is that the actual number of files that are being indexed, even after whitelisting?</P> <P>If so, what am I missing here?</P> Sat, 12 Mar 2011 05:25:31 GMT jeffwarn 2011-03-12T05:25:31Z https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58108#M14193 <P>I have a logging share right on the splunk server where a number of webservers write a few logs to. The structure more or less would look like:</P> <P>(There are a number of "web" servers such as web-02, -03 ..etc)</P> <PRE><CODE>/opt/var/log/httpd/web-01.domain.com/access.log /opt/var/log/httpd/web-01.domain.com/access.log.1.gz /opt/var/log/httpd/web-01.domain.com/access.log.2.gz /opt/var/log/httpd/web-01.domain.com/tmp.dmp </CODE></PRE> <P>(There are a number of "app" servers such as app-02 , -03, ..etc)</P> <PRE><CODE>/opt/var/log/httpd/app-01.domain.com/access.log /opt/var/log/httpd/app-01.domain.com/access.log.1.gz /opt/var/log/httpd/app-01.domain.com/access.log.2.gz /opt/var/log/httpd/app-01.domain.com/tmp.dmp </CODE></PRE> <P>Note: the logs in each directory that I want to index are access.log , error.log, rewrite.log ..etc . Basically anything that is a current *.log file.</P> <P>What I want to do is only index the "web" servers and only the uncompressed *.log files. It should ignore the app server directories.</P> <P>I setup an input with the following:</P> <P>Host - regex on path Hostname (regex): /opt/var/log/httpd/([^/]+)/</P> <P>Advanced Options Whitelist: I've tried the following: (all variations of that without escaping /)</P> <PRE><CODE>\/web-\d+\.domain\.com\/\w+\.log$ web-*\/*.log$ web-\d+\.*\/\w+\.log$ web-*\.log$ </CODE></PRE> <P>When I save the input and after a minute or so, the "Number of files" on the Input summary page shows 180 when it should only be indexing 24 files.</P> <P>Is that number on the Input summary page accurate? Is that the actual number of files that are being indexed, even after whitelisting?</P> <P>If so, what am I missing here?</P> Sat, 12 Mar 2011 05:25:31 GMT https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58108#M14193 jeffwarn 2011-03-12T05:25:31Z https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58109#M14194 <P>what is the path/pattern you entered to be monitored? Did you enter each individual directory, or specify <CODE>/opt/var/log/httpd/web-*/*.log</CODE>, or something else?</P> Sat, 12 Mar 2011 10:19:05 GMT https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58109#M14194 gkanapathy 2011-03-12T10:19:05Z https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58110#M14195 <P>I found another article which shed light on the page: <A href="http://SPLUNKSERVER:8089/services/admin/inputstatus/TailingProcessor:FileStatus">http://SPLUNKSERVER:8089/services/admin/inputstatus/TailingProcessor:FileStatus</A> which shows a good indication of what is being processed. I suppose that "number of files" field on the inputs summary page does not take into account any filtered items.</P> <P>Using the pattern: .<EM>-web-\d+.</EM>/*.log$ seemed to work just fine. It was just driving me nuts thinking I was indexing all these other files when I wasn't.</P> Mon, 14 Mar 2011 20:25:38 GMT https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58110#M14195 jeffwarn 2011-03-14T20:25:38Z https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58111#M14196 <P>Sorry - as you've noted, the traditional ways of listing monitor inputs are a bit buggy in recent versions. The REST endpoint provides a much clearer view. You can get a summarized/realtime-ish view of the endpoint via the script @ <A href="http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/">http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/</A></P> Fri, 22 Apr 2011 17:38:00 GMT https://community.splunk.com/t5/Splunk-Search/Monitor-a-directory-and-using-whitelisting/m-p/58111#M14196 amrit 2011-04-22T17:38:00Z