Re: Forwarding profiles - how to

hokie1999 · ‎02-12-2013

Is there any way to set up profiles for commonly forwarded logs? I see:

http://docs.splunk.com/Documentation/WAS/latest/User/logdata

details logs. Is there any way I can set up a profile from the indexer to grab all the SystemErr.log, SystemOut.logs from app servers?

BTW, I'm running Splunk 5.0.2 on Red Hat 6.3. I have 2 indexers that are replicating, two search heads, and one master. Perhaps 80 devices are forwarding to the indexers.

hokie1999 · ‎02-12-2013

Thanks for the answer. What I wound up doing was adding lines to my expect script like so:

    expect "]#" { send "find /opt/IBM -name 'SystemErr.log' > $tempfile\r" }
    expect "]#" { send "find /opt/IBM -name 'SystemOut.log' >> $tempfile\r" }
    expect "]#" { send "find /opt/IBM -name 'trace.log' >> $tempfile\r" }
    expect "]#" { send "sed -i 's/^/\[monitor\:\\/\\//' $tempfile\r" }
    expect "]#" { send "sed -i 's/$/\]/' $tempfile\r" }
    expect "]#" { send "cat $tempfile >> $inputfile\r" }
    expect "]#" { send "/opt/splunkforwarder/bin/splunk restart\r" }
    expect "]#" { send "ps -ef | grep splunk\r" }

where $inputfile is /opt/splunkforwarder/etc/system/local/inputs.conf

This produces output like this in the inputs.conf file:

[monitor:///var/log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.Messaging.ddcwesbn2-WESBIlabNode02.0/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/nodeagent/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.WebApp.ddcwesbn2-WESBIlabNode02.0/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/WESBIlabNode02_proxy/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.AppTarget.ddcwesbn2-WESBIlabNode02.0/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.Support.ddcwesbn2-WESBIlabNode02.0/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.Messaging.ddcwesbn2-WESBIlabNode02.0/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/nodeagent/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.WebApp.ddcwesbn2-WESBIlabNode02.0/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/WESBIlabNode02_proxy/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.AppTarget.ddcwesbn2-WESBIlabNode02.0/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.Support.ddcwesbn2-WESBIlabNode02.0/SystemOut.log]

martin_mueller · ‎02-12-2013

You might want to set the monitor to /opt/*.log or a similar expression matching all your log files, and then whitelisting (or blacklisting) your way towards the correct set of files.

hokie1999 · ‎02-12-2013

Follow up question. Let's say I want to monitor three files, /opt/a.log, /opt/b.log, /opt/c.log

What would the [monitor://xxxx] statement in inputs.conf look like? Could I do this:

[monitor:///opt/a.log,/opt/b.log,/opt/c.log]

or does it have to be

[monitor:///opt/a.log]
[moniotr:///opt/b.log]
[monitor:///opt/c.log]

Thanks.

Forwarding profiles - how to

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation