Re: Can we use OR condition in monitoring stanza

Naga · ‎10-26-2021

Good day Team,

I have a application which contains 5 servers. Each server is having different path. But the end is to read error.log and wrapper.log

/log/apple/production/A1/error.log

/log/ball/production/A2/error.log

..

Here I can use regex like this in monitor stanza -- /log/*/prodcution/*/error.log

But the problem is each server is having many folders for that *. I dont want all folders. Need only few.

Say the first star. I want only apple or ball or cat. If it is any other name in any server I can ignore

Similarly take the second star. I want only A1 or A2 or A3. I can ignore B1 or C1 or so.

So is it possible to write like that using any regex either in inputs itself or using props?

somesoni2 · ‎10-26-2021

A good read can be found here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Specifyinputpathswithwildcards

richgalloway · ‎10-26-2021

Yes, a MONITOR stanza name can contain a regular expression, but only if that stanza name also uses the "*" or "..." operator. Those operators trigger the regex parser.

---
If this reply helps you, Karma would be appreciated.

Can we use OR condition in monitoring stanza

props.conf

universal forwarder

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation