Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Expand inputs.conf with wildcards

tyronetv
Communicator
‎11-12-2013 01:15 PM

Does anyone know of a tool that will 'expand' the monitor stanza from inputs.conf on a universalforwarder to show an example of logs to be watched?

I.e., I have a monitor stanza:

[monitor:///path/to/some/*/dir]
whitelist = /file_name(s).log$

And before I restart splunk and do the 'hope it works' I was wondering if there was a tool that would, using Splunk's logic, show me all the files the above would 'see' for monitoring.

I have multiple 'client' directories (being replaced above by the *) where some have specific logs and some do not. I would rather write one monitor for each type of log verses writing a new monitor stanza per client dir/log type.

And I need to test it before pulling the trigger and not impact other, already configured, data-gathering.

Tags (1)
0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 01:38 PM

A fairly simplistic approach is just to use ls:

ls -d /path/to/some/*/dir
ls -d /path/to/some/*/dir/file_name*.log

The results is how the system will glob the filenames and create paths.

Also, you could quickly write something in perl, python, C, or any other language with a similar function. Then you could have that program pull any line with "[monitor…]" to parse the paths and glob them for you.

For a working way to do this really quick and dirty, do this:

ls -d $( awk '/monitor/' inputs.conf| sed -e 's|\[monitor://||' -e 's|\]$||')

Obviously adjust where you run this or specify full path to inputs.conf.

--
Jesse Trucks
Minister of Magic
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 02:42 PM

There isn't a premade tool that does that to date that anyone has published. It might make a good feature request to Splunk.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

tyronetv
Communicator
‎11-12-2013 02:38 PM

The awk statement is fine and almost a mirror of what I've already done. I am looking for something that essentially mimics the expansion of the entire monitor stanza to include file names identified by the white/black lists as well as the monitor line.

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 02:04 PM

I assume the poster downvoted me because I didn't provide a ready to use answer, so now there is one. Please upvote it and accept as working if you test this and it works.

Thanks.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...