Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Adding a directory with variables
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
markthompson
Builder
10-01-2014
06:06 AM
Hi,
I'm trying to index a directory, that has subdirectories in this format:
-Directory
---Sub Directory
-----Logs
---Sub Directory
-----Logs
---Sub Directory
-----Logs
Like the above, and basically I want to add 1 data input, which would look something like /directory/.../logs so the ... can be any of the sub directory names. Please can somebody help with some syntax on how to do this.
I look forward to your response.
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
10-01-2014
06:12 AM
Hi markthompson,
that's exactly what you need to do, create a monitor stanza in inputs.conf (or in the UI, data inputs) that looks likt this:
[monitor://directory/.../Logs/*]
see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Specifyinputpathswithwildcards
hope that helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
10-01-2014
06:12 AM
Hi markthompson,
that's exactly what you need to do, create a monitor stanza in inputs.conf (or in the UI, data inputs) that looks likt this:
[monitor://directory/.../Logs/*]
see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Specifyinputpathswithwildcards
hope that helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
markthompson
Builder
10-01-2014
06:52 AM
Hey MuS, can you tell me the path for the inputs.conf please. splunk -> etc?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
10-01-2014
11:07 AM
Hi, you would do that on the directory source server and in etc/system/local/inputs.conf for example
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pmdba
Builder
10-01-2014
06:11 AM
You can use wildcards in the directory path. I often use something like this:
[monitor:///export/oracle/diag/rdbms/*/*/trace/alert*.log]
to pick up logs for all of my databases with a single monitor.
Get Updates on the Splunk Community!
The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...
The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...
Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25
Hello Splunkers,
Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...
Community Spotlight: A Splunk Expert's Journey
In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
