Consolidating two [monitor://] stanzas

_smp_ · ‎06-19-2020

I'm dealing with a set of web servers with an inconsistent access logging configuration. There is some variability in the path and the name of the files:
Source

/usr/local2/searchapps/v-ESP_ssl/logs/access.log
/usr/local2/searchapps/v-admin11/conf/ssl/logs/access_log
/usr/local2/searchapps/v-admin11/logs/access.log

There are additional file patterns in these same directory paths that I don't want to index:

<PATH>/access.log-2020-06-13-1592036161
<PATH>/access.log-2020-06-13-1592036161.gz

It seems I can pull everything in correctly with two [monitor] stanzas:

[monitor:///usr/local2/searchapps/v-*/.../logs/access*]
index           = web
sourcetype      = access_combined
crcSalt         = <SOURCE>
whitelist       = access[\._]log$

[monitor:///usr/local2/searchapps/v-*/logs/access*]
index           = web
sourcetype      = access_combined
crcSalt         = <SOURCE>
whitelist       = access[\._]log$

For my own education, I'm trying to simplify the configuration by collapsing them into a single stanza and getting rid of the whitelist. So far I've been unsuccessful, it seems mostly due to the behavior of the ... and * wildcards.

Is there a way to combine those two inputs into one and further simplify?

richgalloway · ‎06-19-2020

I don't see an easy way. Even if you were to come up with one, could you or your successor maintain it? What if another filepath had to be added? Keeping it simple does just mean fewer characters in the .conf file.

---
If this reply helps you, Karma would be appreciated.

Consolidating two [monitor://] stanzas

inputs.conf

monitor

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...