https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123855#M33462 <P>Use regex under stanza</P> <P>[monitor:///var/www/webapp/logs]<BR /> whitelist=\/var\/www\/webapp\/application\/logs\/\d{4}\/\d{2}\/\d{2}.log</P> <P>Please change regex if it does not work <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 14 Sep 2014 10:09:23 GMT kml_uvce 2014-09-14T10:09:23Z https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123852#M33459 <P>our log path looks like this</P> <PRE><CODE>/var/www/webapp/application/logs/2014/09/13/03.log </CODE></PRE> <P>where 2014 is the year, 09 is the month, 13 is the day, and 03 is the hour.</P> <P>How can i capture this path pattern in input.conf so all auto generated starting with the year, month, day, hour are captured and the logs are sent to splunkstorm index?</P> Sat, 13 Sep 2014 08:47:08 GMT https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123852#M33459 zergid 2014-09-13T08:47:08Z https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123853#M33460 <P>have you looked at the wildcard characters? Either of the following should work - take a look at the docs for inputs.conf in the Search Reference manual.</P> <P><CODE>[monitor:///var/www/webapp/logs/.../*.log]</CODE><BR /> <CODE>[monitor:///var/www/webapp/logs/2014/*/*/*.log]</CODE></P> Sat, 13 Sep 2014 11:49:28 GMT https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123853#M33460 kristian_kolb 2014-09-13T11:49:28Z https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123854#M33461 <P>EDIT: I may have misunderstood your goal, and perahaps the other answer is the one you want.<BR /> If you just want to index those files, a wildcards or regex whitelist will do the job.</P> <P>If you want to find out the times from the path, the rest of my answer is relevant.</P> <HR /> <P>Splunk will attempt to guess the date from the filename first by TIME_FORMAT and then falling back to regexes as an initial seed/guess value before running the time extraction per-event logic. In other words the filename can influence timestamping.</P> <P>However, I'm unclear whether the full path is passed into this logic. I think it is not.</P> <P>The remaining options are:</P> <UL> <LI>ensure the modtime is accurate. Splunk will use the modtime as a guide for the data, so the pathname may be unnecessary.</LI> <LI>Put the date into the filename so that the filename logic can work</LI> <LI>Put timestamps in the file </LI> </UL> <P>Timestamps in the file is definitely the best outcome, but it might not be an availble choice to you.</P> Sun, 14 Sep 2014 01:17:31 GMT https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123854#M33461 jrodman 2014-09-14T01:17:31Z https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123855#M33462 <P>Use regex under stanza</P> <P>[monitor:///var/www/webapp/logs]<BR /> whitelist=\/var\/www\/webapp\/application\/logs\/\d{4}\/\d{2}\/\d{2}.log</P> <P>Please change regex if it does not work <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 14 Sep 2014 10:09:23 GMT https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123855#M33462 kml_uvce 2014-09-14T10:09:23Z https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123856#M33463 <P>This will definitely limit the stanza to only match filenames like that (though I recommend anchoring the regex with ^ and $, but it won't make the numbers available elsewhere.</P> Mon, 15 Sep 2014 00:18:04 GMT https://community.splunk.com/t5/Splunk-Search/input-conf-path-has-numbers-how-do-i-capture-this/m-p/123856#M33463 jrodman 2014-09-15T00:18:04Z