Deployment Architecture

monitor particular log in universal forwarder

puneethgowda
Communicator

alt text

Hi all,

How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields.

and also logs are forwarding to main index how do we forward that into new index and how to set source type for each log as each logs having different fields.

Regards,

Puneeth

Tags (1)
0 Karma
1 Solution

inventsekar
Ultra Champion

How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields ///
Can you please update us more info...
- is that log which you want to monitor is changing? (rolling log files?)
- if the file name is not changing, as per the screenshot, you can update the inputs.conf with full logfile name.
[monitor://D:\HotelHub\Log4NetLogs\UserSessionsInfo20170124-09.txt]

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf
as you can see on this inputs.conf file format, you can include index and sourcetype directly -
index =
sourcetype =

View solution in original post

0 Karma

puneethgowda
Communicator

Thank you all

0 Karma

puneethgowda
Communicator

We are able to create new sourcetype and new index name and still working on monitoring one particular log which will be inside so many subfolders could any one help us on this.

[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs\109\PH\AppServerDbconnectInfo*.txt]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA

//D:\HotelHub\Log4NetLogs\109 after fodername 109 there will be many subfolder we need to forward data from all the folders how to pass variable in the place of \109\PH\

We tried //D:\HotelHub\Log4NetLogs*\AppServerDbconnectInfo*.txt

but not working and also we tried

whitelist = query.log$
here we are giving till Log4NetLogs no giving 109\PH because we need to read after Log4netlogs all the files which start with appserverdbconnect
[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
whitelist = AppServerDbconnectInfo.txt$

0 Karma

puneethgowda
Communicator

We are able to create new sourcetype and new index name and still working on monitoring one particular log which will be inside so many subfolders could any one help us on this.

[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs\109\PH\AppServerDbconnectInfo*.txt]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA

//D:\HotelHub\Log4NetLogs\109 after fodername 109 there will be many subfolder we need to forward data from all the folders how to pass variable in the place of \109\PH\

We tried //D:\HotelHub\Log4NetLogs*\AppServerDbconnectInfo*.txt

but not working and also we tried

whitelist = query.log$
here we are giving till Log4NetLogs no giving 109\PH because we need to read after Log4netlogs all the files which start with appserverdbconnect
[default]
host = BLRVMDBENAPP01

[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
whitelist = AppServerDbconnectInfo.txt$

0 Karma

woodcock
Esteemed Legend

Split your stanzas like this:

[monitor://D:\HotelHub\Log4NetLogs\file1]
File1 settings here

[monitor://D:\HotelHub\Log4NetLogs\file2]
File2 settings here

[monitor://D:\HotelHub\Log4NetLogs\file3]
File3 settings here
0 Karma

gcusello
SplunkTrust
SplunkTrust

hi puneethgowda,
you can follow different ways, but the easyer is to create a dedicated room in your inputs.conf:

[monitor://D:\HotelHub\Log4NetLogs\109\PH\UserSessionsInfo*.txt]
index=your_index
sourcetype=your_sourcetype

If you cannot do this you have to override index at indextime:
transforms.conf

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = your_regex
 FORMAT = my_new_index

props.conf

 [mysourcetype]
 TRANSFORMS-index = overrideindex

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

If your path can change, you can use jolly character "*" or three dots "...".
Bye.
Giuseppe

0 Karma

puneethgowda
Communicator

We are trying regex let's see

0 Karma

inventsekar
Ultra Champion

How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields ///
Can you please update us more info...
- is that log which you want to monitor is changing? (rolling log files?)
- if the file name is not changing, as per the screenshot, you can update the inputs.conf with full logfile name.
[monitor://D:\HotelHub\Log4NetLogs\UserSessionsInfo20170124-09.txt]

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf
as you can see on this inputs.conf file format, you can include index and sourcetype directly -
index =
sourcetype =

0 Karma

puneethgowda
Communicator

alt text

We cannot give full path because file name will keep changing

0 Karma

puneethgowda
Communicator

No we can't give full path till extension as file name will keep changing every hour and also same file we need to monitor from other folder

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...