Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Are Wildcards supported for use with UNC Paths...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are Wildcards supported for use with UNC Paths?
I am trying to index a UNC Path, but am unable to use wildcards..
Here's what I"m trying to match
\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG
I don't want to match this
\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG
The manual indicates I could use *, but am having no luck.. Have tried this..
\\IISLOGS\MYSERVER*
\\IISLOGS\MYSERVER*\
NO indexing at all occurs if I do this..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally able to get this to work. Ended up deleting all the configuration on my server and recreating it, so potentially their was something conflicting? Anyway, just wanted to close the loop on this, showing that you can wildcard in your inputs.conf file without using transforms... Here's three examples of syntax I used for the monitor headers that WORKED.
[monitor://\ServerLogs\prod\prod-iislogs\HS1WS*...]
[monitor://\ServerLogs\prod\prod-iislogs\HS2WS*...]
[monitor://\ServerLogs\prod\prod-iislogs\SI1WS*...]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We should be able to use your existing singular whitelist to eat the directory, but exclude everything other than your server, as you have done.
Then.. create two files in the same dir called "props.conf" & "transforms.conf" (assuming you're in the $SPLUNK_HOME/etc/apps/search/local directory
in props.conf, we can choose how events get selected and are processed by "transforms.conf". Transforms.conf will make our "index-switching" happen on the fly. Just tested it locally, seems to work just fine.
PROPS.CONF
[source::...Order...]
TRANSFORMS-moveorders = toIndex1
[source::...Product...]
TRANSFORMS-moveproducts = toIndex2
[source::...Customer...]
TRANSFORMS-movecustomers = toIndex3
TRANSFORMS.CONF
[toIndex1]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index1
[toIndex2]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index2
[toIndex3]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you considered just eating \IISLOGS and using
_blacklist = YOURSERVER
http://www.splunk.com/base/Documentation/latest/Data/Whitelistorblacklistspecificincomingdata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk only lets you monitor a directory once. What is your scheme for determining what data goes in which index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: Did NOT work as expected... When creating a SECOND input for the same path for the second set of servers, I got a message indicating that I could not create an input with the same name..
This seems like pretty basic functionality.. Essentially, I want to create multiple indexes with files with a common path..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome.. I could not get it to work using wildcards in the path, but using a WHITELIST, it worked perfectly...
.*MYSERVER.*
Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry... need to clarify my example. Was hoping not to have a seperate entry for each server..
Need to match the following..
\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER02\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER03\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER04\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER05\W3SVC01\EX10.LOG
Don't want to match..
\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I updated my answer, basically just use more wildcards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your examples seem a bit odd to me, but to match your .LOG files in your example you would use
\\IISLOGS\MYSERVER01\W3SVC01\*.LOG
[EDIT]
You could use the wildcard as such:
\\IISLOGS\MYSERVER*\W3SVC01\*.LOG
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
