Deployment Architecture

monitor particular log in universal forwarder

puneethgowda
Communicator

alt text

Hi all,

How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields.

and also logs are forwarding to main index how do we forward that into new index and how to set source type for each log as each logs having different fields.

Regards,

Puneeth

Tags (1)
0 Karma
1 Solution

inventsekar
Ultra Champion

How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields ///
Can you please update us more info...
- is that log which you want to monitor is changing? (rolling log files?)
- if the file name is not changing, as per the screenshot, you can update the inputs.conf with full logfile name.
[monitor://D:\HotelHub\Log4NetLogs\UserSessionsInfo20170124-09.txt]

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf
as you can see on this inputs.conf file format, you can include index and sourcetype directly -
index =
sourcetype =

View solution in original post

0 Karma

puneethgowda
Communicator

Thank you all

0 Karma

puneethgowda
Communicator

We are able to create new sourcetype and new index name and still working on monitoring one particular log which will be inside so many subfolders could any one help us on this.

[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs\109\PH\AppServerDbconnectInfo*.txt]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA

//D:\HotelHub\Log4NetLogs\109 after fodername 109 there will be many subfolder we need to forward data from all the folders how to pass variable in the place of \109\PH\

We tried //D:\HotelHub\Log4NetLogs*\AppServerDbconnectInfo*.txt

but not working and also we tried

whitelist = query.log$
here we are giving till Log4NetLogs no giving 109\PH because we need to read after Log4netlogs all the files which start with appserverdbconnect
[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
whitelist = AppServerDbconnectInfo.txt$

0 Karma

puneethgowda
Communicator

We are able to create new sourcetype and new index name and still working on monitoring one particular log which will be inside so many subfolders could any one help us on this.

[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs\109\PH\AppServerDbconnectInfo*.txt]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA

//D:\HotelHub\Log4NetLogs\109 after fodername 109 there will be many subfolder we need to forward data from all the folders how to pass variable in the place of \109\PH\

We tried //D:\HotelHub\Log4NetLogs*\AppServerDbconnectInfo*.txt

but not working and also we tried

whitelist = query.log$
here we are giving till Log4NetLogs no giving 109\PH because we need to read after Log4netlogs all the files which start with appserverdbconnect
[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
whitelist = AppServerDbconnectInfo.txt$

0 Karma

woodcock
Esteemed Legend

Split your stanzas like this:

[monitor://D:\HotelHub\Log4NetLogs\file1]
File1 settings here

[monitor://D:\HotelHub\Log4NetLogs\file2]
File2 settings here

[monitor://D:\HotelHub\Log4NetLogs\file3]
File3 settings here
0 Karma

gcusello
SplunkTrust
SplunkTrust

hi puneethgowda,
you can follow different ways, but the easyer is to create a dedicated room in your inputs.conf:

[monitor://D:\HotelHub\Log4NetLogs\109\PH\UserSessionsInfo*.txt]
index=your_index
sourcetype=your_sourcetype

If you cannot do this you have to override index at indextime:
transforms.conf

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = your_regex
 FORMAT = my_new_index

props.conf

 [mysourcetype]
 TRANSFORMS-index = overrideindex

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

If your path can change, you can use jolly character "*" or three dots "...".
Bye.
Giuseppe

0 Karma

puneethgowda
Communicator

We are trying regex let's see

0 Karma

inventsekar
Ultra Champion

How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields ///
Can you please update us more info...
- is that log which you want to monitor is changing? (rolling log files?)
- if the file name is not changing, as per the screenshot, you can update the inputs.conf with full logfile name.
[monitor://D:\HotelHub\Log4NetLogs\UserSessionsInfo20170124-09.txt]

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf
as you can see on this inputs.conf file format, you can include index and sourcetype directly -
index =
sourcetype =

0 Karma

puneethgowda
Communicator

alt text

We cannot give full path because file name will keep changing

0 Karma

puneethgowda
Communicator

No we can't give full path till extension as file name will keep changing every hour and also same file we need to monitor from other folder

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...