Getting Data In

HOw to black list entire folder

vikas_gopal
Builder

HI Experts ,

I am prety sure this has been already answered but I am not able to find the correct answer on the community . I have path as below
C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\
server1
server2
server3

I have 8 servers on which same directory structure exist

I want to use host_segment so that my host name will be automatically picked up and I only want to index server1 files . So 2 things I want to achieve
1) If I am on host 1 , the host name should be server1

2) Only server1 folder files will get indexed .

I tried folloing but it is not indexing my files and not setting up the hostname

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\*\productengin_*.log]
disabled = false
host_segment = 5
index = main
whitelist = server1

Any suggestion will be highly appricaited

Regards
VG

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Can you do this?

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\server1\productengin_*.log]
 host=server1
 index=main

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you do this?

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\server1\productengin_*.log]
 host=server1
 index=main
0 Karma

vikas_gopal
Builder

My bad I don't know after posting my format of the inputs.conf file is disturbed let me modify it .Please check now , hope this make sense . Here first * is folder like server1, server2, etc . Wild car in the file name , I am not bothered about that , because it is just 1,2 ,3 etc

0 Karma

jkat54
SplunkTrust
SplunkTrust

I've updated

0 Karma

vikas_gopal
Builder

Thank you for the quick response but the only concern is via DS how I can manage this as a single stenza . That is why I was planing to use host_segment . So does this mean I have to create sepparate app per host ?

0 Karma

vikas_gopal
Builder

Well I have created separate SC and App on DS for each host.

0 Karma

jkat54
SplunkTrust
SplunkTrust

The way you wanted to do this is possible, but you need props & transforms.

props.conf
[sourcetype]
TRANSFORMS-abc=abc

transforms.conf
[abc]
REGEX=WNEngin1\/(\W+)\/
 SOURCE=MetaData:Source
FORMAT=host::$1
DEST=MetaData:Host
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...