Getting Data In

HOw to black list entire folder

vikas_gopal
Builder

HI Experts ,

I am prety sure this has been already answered but I am not able to find the correct answer on the community . I have path as below
C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\
server1
server2
server3

I have 8 servers on which same directory structure exist

I want to use host_segment so that my host name will be automatically picked up and I only want to index server1 files . So 2 things I want to achieve
1) If I am on host 1 , the host name should be server1

2) Only server1 folder files will get indexed .

I tried folloing but it is not indexing my files and not setting up the hostname

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\*\productengin_*.log]
disabled = false
host_segment = 5
index = main
whitelist = server1

Any suggestion will be highly appricaited

Regards
VG

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Can you do this?

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\server1\productengin_*.log]
 host=server1
 index=main

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you do this?

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\server1\productengin_*.log]
 host=server1
 index=main
0 Karma

vikas_gopal
Builder

My bad I don't know after posting my format of the inputs.conf file is disturbed let me modify it .Please check now , hope this make sense . Here first * is folder like server1, server2, etc . Wild car in the file name , I am not bothered about that , because it is just 1,2 ,3 etc

0 Karma

jkat54
SplunkTrust
SplunkTrust

I've updated

0 Karma

vikas_gopal
Builder

Thank you for the quick response but the only concern is via DS how I can manage this as a single stenza . That is why I was planing to use host_segment . So does this mean I have to create sepparate app per host ?

0 Karma

vikas_gopal
Builder

Well I have created separate SC and App on DS for each host.

0 Karma

jkat54
SplunkTrust
SplunkTrust

The way you wanted to do this is possible, but you need props & transforms.

props.conf
[sourcetype]
TRANSFORMS-abc=abc

transforms.conf
[abc]
REGEX=WNEngin1\/(\W+)\/
 SOURCE=MetaData:Source
FORMAT=host::$1
DEST=MetaData:Host
0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...