Hello,
I would like to harvest the files with the "statements" pattern in the name. The examples would be:
/usr/sap/ICP/HDB02/ls5980/trace/DB_ICP/indexserver_ls5980.30240.executed_statements.071.trc
/usr/sap/ICP/HDB02/ls5980/trace/DB_ICP/indexserver_ls5980.30240.expensive_statements.004.trc
For that I have the following configuration on the forwarder side:
monitor:///usr/sap/ICP/HDB02/ls5979/trace/.../*statements*trc]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_statements
This however does not seem to work.
How would I do this properly? Is it a problem of two asterisks in the filename pattern?
Kind Regards,
Kamil
The directory name 'ls5979' in question is different from the one in monitor stanza. Not sure if it's a typo here.
However, do you see any errors in splunkd.log in reference to this file. Try running something like, index=_internal sourcetype=splunkd host=ForwarderHostName *statements*
You can also see input status using rest api. http://ForwarderHostName:8089/services/admin/inputstatus
(search (ctrl+f) for 'statements' on this page)
Note: You'd need admin credentials of splunk to check input status
Thank you.
Actually I have two hosts, that is how the confusion came, the ls5979 and ls5980. And also the configuration is a bit different (the old version is active at the moment), which is (example ls5979):
[monitor:///usr/sap/ICP/HDB02/ls5979/trace/nameserver*executed_statements*trc]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_executed_statements
blacklist = [ICDicd]\d{6,}\.trc|rtedump|_alert_|available\.log$|nameserver_history\.trc$|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot)$
[monitor:///usr/sap/ICP/HDB02/ls5979/trace/DB_ICP/indexserver*executed_statements*trc]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_executed_statements
blacklist = [ICDicd]\d{6,}\.trc|rtedump|_alert_|available\.log$|nameserver_history\.trc$|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot)$
So, I am looking for the "executed_statements" pattern in the filename and would like to get the logs.
When I check the splunkd.log the only two entries there I can find are:
11-06-2018 10:20:34.054 +0100 INFO TailingProcessor - Parsing configuration stanza: monitor:///usr/sap/ICP/HDB02/ls5979/trace/DB_ICP/indexserver*executed_statements*trc.
11-06-2018 10:20:34.056 +0100 INFO TailingProcessor - Parsing configuration stanza: monitor:///usr/sap/ICP/HDB02/ls5979/trace/nameserver*executed_statements*trc.
.. but I guess they are okay.
Still since 10:20 I am not getting any input from the corresponding files.
In your configs above, I noticed you're missing "DB_ICP" directory after "trace" in monitor stanza. Also, is it possible to specify whitelist explicitly for the file you want to ingest than using blacklist. Something like below would work?
[monitor:///usr/sap/ICP/HDB02/ls5979/trace/DB_ICP/*executed_statements*trc]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_executed_statements
whitelist = indexserver|nameserver
Hello,
The missing DB_ICP is becsuse for the nameserver I need to collect from the directory above and for the indexserver from the DB_ICP, where it is already there in the input path.
When I think of that now, I would try the following config, please let me know what you think:
[monitor:///usr/sap/ICP/HDB02/ls5979/trace/.../*]
index=mlbso
disabled=false
interval=15
sourcetype=ICP_statements
whitelist = statements
My intention here is to collect all files with the "statement" pattern in the filename from the trace directory and below (DB_ICP).
Would that make sense?
Kind Regards,
Kamil