Getting Data In

File monitoring in inputs.conf

Boopalan
New Member

I want to configure an file in a directory which will be rolling over to new file within 2mins.
I tried basic inputs.conf as below, its working fine but its missing files which was rolled in to new For example, test.log is the file I want to continuously monitor, this test.log will be renamed as test-1.log within 2 mins and new datas will be written in test.log. My config is monitoring test.log once and after 6mins only test.log is again reading i.e., in between test-2.log created in 4th min and test-3.log in 6th min is ignored. I want to configure to monitor only test.log without any loss of data on it.
Note: logs are placed in *nix systems

inputs.conf used:

[monitor:///opt/sample/logs/test*.log]
index = test
disabled = false
sourcetype = test_logs
blacklist = (test*-\d{1,2}\.log$)
ignoreOlderThan = 30d
crcSalt = <SOURCE>
0 Karma

woodcock
Esteemed Legend

Like this:

[monitor:///opt/sample/logs/test*.log]
index = test
disabled = false
sourcetype = test_logs
blacklist = (test*-\d{2,}\.log$)

DEFINITELY DO NOT USE THESE:

ignoreOlderThan = 30d
crcSalt = <SOURCE>
0 Karma

somesoni2
Revered Legend

Try this

[monitor:///opt/sample/logs/test*.log]
 index = test
 sourcetype = test_logs
 ignoreOlderThan = 30d
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...