Solved: Adding a directory with variables

markthompson · ‎10-01-2014

Hi,
I'm trying to index a directory, that has subdirectories in this format:

-Directory
        ---Sub Directory
                 -----Logs
        ---Sub Directory
                 -----Logs
        ---Sub Directory
                 -----Logs

Like the above, and basically I want to add 1 data input, which would look something like /directory/.../logs so the ... can be any of the sub directory names. Please can somebody help with some syntax on how to do this.

I look forward to your response.

Thanks

MuS · ‎10-01-2014

Hi markthompson,

that's exactly what you need to do, create a monitor stanza in inputs.conf (or in the UI, data inputs) that looks likt this:

 [monitor://directory/.../Logs/*]

see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Specifyinputpathswithwildcards

hope that helps ...

cheers, MuS

View solution in original post

MuS · ‎10-01-2014

Hi markthompson,

that's exactly what you need to do, create a monitor stanza in inputs.conf (or in the UI, data inputs) that looks likt this:

 [monitor://directory/.../Logs/*]

see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Specifyinputpathswithwildcards

hope that helps ...

cheers, MuS

markthompson · ‎10-01-2014

Hey MuS, can you tell me the path for the inputs.conf please. splunk -> etc?

MuS · ‎10-01-2014

Hi, you would do that on the directory source server and in etc/system/local/inputs.conf for example

pmdba · ‎10-01-2014

You can use wildcards in the directory path. I often use something like this:

[monitor:///export/oracle/diag/rdbms/*/*/trace/alert*.log]

to pick up logs for all of my databases with a single monitor.

Adding a directory with variables

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]