Re: Asteriks in monitoring entry

damucka · ‎11-06-2018

Hello,

I would like to harvest the files with the "statements" pattern in the name. The examples would be:

/usr/sap/ICP/HDB02/ls5980/trace/DB_ICP/indexserver_ls5980.30240.executed_statements.071.trc
/usr/sap/ICP/HDB02/ls5980/trace/DB_ICP/indexserver_ls5980.30240.expensive_statements.004.trc

For that I have the following configuration on the forwarder side:

monitor:///usr/sap/ICP/HDB02/ls5979/trace/.../*statements*trc]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_statements

This however does not seem to work.
How would I do this properly? Is it a problem of two asterisks in the filename pattern?

Kind Regards,
Kamil

sudosplunk · ‎11-06-2018

The directory name 'ls5979' in question is different from the one in monitor stanza. Not sure if it's a typo here.
However, do you see any errors in splunkd.log in reference to this file. Try running something like, index=_internal sourcetype=splunkd host=ForwarderHostName *statements*

You can also see input status using rest api. http://ForwarderHostName:8089/services/admin/inputstatus (search (ctrl+f) for 'statements' on this page)
Note: You'd need admin credentials of splunk to check input status

damucka · ‎11-06-2018

Thank you.
Actually I have two hosts, that is how the confusion came, the ls5979 and ls5980. And also the configuration is a bit different (the old version is active at the moment), which is (example ls5979):

[monitor:///usr/sap/ICP/HDB02/ls5979/trace/nameserver*executed_statements*trc]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_executed_statements
blacklist = [ICDicd]\d{6,}\.trc|rtedump|_alert_|available\.log$|nameserver_history\.trc$|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot)$

[monitor:///usr/sap/ICP/HDB02/ls5979/trace/DB_ICP/indexserver*executed_statements*trc]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_executed_statements
blacklist = [ICDicd]\d{6,}\.trc|rtedump|_alert_|available\.log$|nameserver_history\.trc$|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot)$

So, I am looking for the "executed_statements" pattern in the filename and would like to get the logs.
When I check the splunkd.log the only two entries there I can find are:

11-06-2018 10:20:34.054 +0100 INFO  TailingProcessor - Parsing configuration stanza: monitor:///usr/sap/ICP/HDB02/ls5979/trace/DB_ICP/indexserver*executed_statements*trc.
11-06-2018 10:20:34.056 +0100 INFO  TailingProcessor - Parsing configuration stanza: monitor:///usr/sap/ICP/HDB02/ls5979/trace/nameserver*executed_statements*trc.

.. but I guess they are okay.
Still since 10:20 I am not getting any input from the corresponding files.

sudosplunk · ‎11-06-2018

In your configs above, I noticed you're missing "DB_ICP" directory after "trace" in monitor stanza. Also, is it possible to specify whitelist explicitly for the file you want to ingest than using blacklist. Something like below would work?

[monitor:///usr/sap/ICP/HDB02/ls5979/trace/DB_ICP/*executed_statements*trc]
 index=mlbso
 disabled=false
 interval=15
 sourcetype=ICP_executed_statements
 whitelist = indexserver|nameserver

damucka · ‎11-06-2018

Hello,

The missing DB_ICP is becsuse for the nameserver I need to collect from the directory above and for the indexserver from the DB_ICP, where it is already there in the input path.
When I think of that now, I would try the following config, please let me know what you think:
[monitor:///usr/sap/ICP/HDB02/ls5979/trace/.../*]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_statements
whitelist = statements

My intention here is to collect all files with the "statement" pattern in the filename from the trace directory and below (DB_ICP).
Would that make sense?

Kind Regards,
Kamil

Asteriks in monitoring entry

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio