Hi all,
How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields.
and also logs are forwarding to main index how do we forward that into new index and how to set source type for each log as each logs having different fields.
Regards,
Puneeth
How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields ///
Can you please update us more info...
- is that log which you want to monitor is changing? (rolling log files?)
- if the file name is not changing, as per the screenshot, you can update the inputs.conf with full logfile name.
[monitor://D:\HotelHub\Log4NetLogs\UserSessionsInfo20170124-09.txt]
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf
as you can see on this inputs.conf file format, you can include index and sourcetype directly -
index =
sourcetype =
Thank you all
We are able to create new sourcetype and new index name and still working on monitoring one particular log which will be inside so many subfolders could any one help us on this.
[default]
host = BLRVMDBENAPP01
[monitor://D:\HotelHub\Log4NetLogs\109\PH\AppServerDbconnectInfo*.txt]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
//D:\HotelHub\Log4NetLogs\109 after fodername 109 there will be many subfolder we need to forward data from all the folders how to pass variable in the place of \109\PH\
We tried //D:\HotelHub\Log4NetLogs*\AppServerDbconnectInfo*.txt
but not working and also we tried
whitelist = query.log$
here we are giving till Log4NetLogs no giving 109\PH because we need to read after Log4netlogs all the files which start with appserverdbconnect
[default]
host = BLRVMDBENAPP01
[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
whitelist = AppServerDbconnectInfo.txt$
We are able to create new sourcetype and new index name and still working on monitoring one particular log which will be inside so many subfolders could any one help us on this.
[default]
host = BLRVMDBENAPP01
[monitor://D:\HotelHub\Log4NetLogs\109\PH\AppServerDbconnectInfo*.txt]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
//D:\HotelHub\Log4NetLogs\109 after fodername 109 there will be many subfolder we need to forward data from all the folders how to pass variable in the place of \109\PH\
We tried //D:\HotelHub\Log4NetLogs*\AppServerDbconnectInfo*.txt
but not working and also we tried
whitelist = query.log$
here we are giving till Log4NetLogs no giving 109\PH because we need to read after Log4netlogs all the files which start with appserverdbconnect
[default]
host = BLRVMDBENAPP01
[monitor://D:\HotelHub\Log4NetLogs]
disable = 0
index=main
ignoreOlderThan= 1d
sourcetype=UFBETA_DbconnectInfo
index=UFBETA
whitelist = AppServerDbconnectInfo.txt$
Split your stanzas like this:
[monitor://D:\HotelHub\Log4NetLogs\file1]
File1 settings here
[monitor://D:\HotelHub\Log4NetLogs\file2]
File2 settings here
[monitor://D:\HotelHub\Log4NetLogs\file3]
File3 settings here
hi puneethgowda,
you can follow different ways, but the easyer is to create a dedicated room in your inputs.conf:
[monitor://D:\HotelHub\Log4NetLogs\109\PH\UserSessionsInfo*.txt]
index=your_index
sourcetype=your_sourcetype
If you cannot do this you have to override index at indextime:
transforms.conf
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = your_regex
FORMAT = my_new_index
props.conf
[mysourcetype]
TRANSFORMS-index = overrideindex
Bye.
Giuseppe
If your path can change, you can use jolly character "*" or three dots "...".
Bye.
Giuseppe
We are trying regex let's see
How do we monitor one particular log through universal forwarder because we are writing 10 different logs in same folder which is different fields ///
Can you please update us more info...
- is that log which you want to monitor is changing? (rolling log files?)
- if the file name is not changing, as per the screenshot, you can update the inputs.conf with full logfile name.
[monitor://D:\HotelHub\Log4NetLogs\UserSessionsInfo20170124-09.txt]
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitorfilesanddirectorieswithinputs.conf
as you can see on this inputs.conf file format, you can include index and sourcetype directly -
index =
sourcetype =
No we can't give full path till extension as file name will keep changing every hour and also same file we need to monitor from other folder