Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Expand inputs.conf with wildcards

tyronetv
Communicator
‎11-12-2013 01:15 PM

Does anyone know of a tool that will 'expand' the monitor stanza from inputs.conf on a universalforwarder to show an example of logs to be watched?

I.e., I have a monitor stanza:

[monitor:///path/to/some/*/dir]
whitelist = /file_name(s).log$

And before I restart splunk and do the 'hope it works' I was wondering if there was a tool that would, using Splunk's logic, show me all the files the above would 'see' for monitoring.

I have multiple 'client' directories (being replaced above by the *) where some have specific logs and some do not. I would rather write one monitor for each type of log verses writing a new monitor stanza per client dir/log type.

And I need to test it before pulling the trigger and not impact other, already configured, data-gathering.

Tags (1)
0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 01:38 PM

A fairly simplistic approach is just to use ls:

ls -d /path/to/some/*/dir
ls -d /path/to/some/*/dir/file_name*.log

The results is how the system will glob the filenames and create paths.

Also, you could quickly write something in perl, python, C, or any other language with a similar function. Then you could have that program pull any line with "[monitor…]" to parse the paths and glob them for you.

For a working way to do this really quick and dirty, do this:

ls -d $( awk '/monitor/' inputs.conf| sed -e 's|\[monitor://||' -e 's|\]$||')

Obviously adjust where you run this or specify full path to inputs.conf.

--
Jesse Trucks
Minister of Magic
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 02:42 PM

There isn't a premade tool that does that to date that anyone has published. It might make a good feature request to Splunk.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

tyronetv
Communicator
‎11-12-2013 02:38 PM

The awk statement is fine and almost a mirror of what I've already done. I am looking for something that essentially mimics the expansion of the entire monitor stanza to include file names identified by the white/black lists as well as the monitor line.

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 02:04 PM

I assume the poster downvoted me because I didn't provide a ready to use answer, so now there is one. Please upvote it and accept as working if you test this and it works.

Thanks.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...