File monitoring in inputs.conf

Boopalan · ‎04-12-2019

I want to configure an file in a directory which will be rolling over to new file within 2mins.
I tried basic inputs.conf as below, its working fine but its missing files which was rolled in to new For example, test.log is the file I want to continuously monitor, this test.log will be renamed as test-1.log within 2 mins and new datas will be written in test.log. My config is monitoring test.log once and after 6mins only test.log is again reading i.e., in between test-2.log created in 4th min and test-3.log in 6th min is ignored. I want to configure to monitor only test.log without any loss of data on it.
Note: logs are placed in *nix systems

inputs.conf used:

[monitor:///opt/sample/logs/test*.log]
index = test
disabled = false
sourcetype = test_logs
blacklist = (test*-\d{1,2}\.log$)
ignoreOlderThan = 30d
crcSalt = <SOURCE>

woodcock · ‎04-13-2019

Like this:

[monitor:///opt/sample/logs/test*.log]
index = test
disabled = false
sourcetype = test_logs
blacklist = (test*-\d{2,}\.log$)

DEFINITELY DO NOT USE THESE:

ignoreOlderThan = 30d
crcSalt = <SOURCE>

somesoni2 · ‎04-12-2019

Try this

[monitor:///opt/sample/logs/test*.log]
 index = test
 sourcetype = test_logs
 ignoreOlderThan = 30d

File monitoring in inputs.conf

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

File monitoring in inputs.conf

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant