I'm dealing with a set of web servers with an inconsistent access logging configuration. There is some variability in the path and the name of the files:
Source
/usr/local2/searchapps/v-ESP_ssl/logs/access.log
/usr/local2/searchapps/v-admin11/conf/ssl/logs/access_log
/usr/local2/searchapps/v-admin11/logs/access.log
There are additional file patterns in these same directory paths that I don't want to index:
<PATH>/access.log-2020-06-13-1592036161
<PATH>/access.log-2020-06-13-1592036161.gz
It seems I can pull everything in correctly with two [monitor] stanzas:
[monitor:///usr/local2/searchapps/v-*/.../logs/access*]
index = web
sourcetype = access_combined
crcSalt = <SOURCE>
whitelist = access[\._]log$
[monitor:///usr/local2/searchapps/v-*/logs/access*]
index = web
sourcetype = access_combined
crcSalt = <SOURCE>
whitelist = access[\._]log$
For my own education, I'm trying to simplify the configuration by collapsing them into a single stanza and getting rid of the whitelist. So far I've been unsuccessful, it seems mostly due to the behavior of the ... and * wildcards.
Is there a way to combine those two inputs into one and further simplify?