Hi,
I need to monitor some logs where I need to wildcard part of the hostname into the path. Is that possible:
For example, I have:
/apps/oracle/install/admin/instances
/apps/oracle/install/admin/instances/ovdpmmk1a
/apps/oracle/install/admin/instances/ovdpmmk1b
/apps/oracle/install/admin/instances/ovdpmmk2a
/apps/oracle/install/admin/instances/ovdpmmk2b
/apps/oracle/install/admin/instances/ovdpmmk3a
/apps/oracle/install/admin/instances/ovdpmmk3b... (it keeps going)
The hostname is ovdpmmk1. On this server, I want to monitor certain files in the ovdpmmk1a and 1b directories. On the ovdpmmk2 server, I want to monitor certain files in the ovdpmmk2a and 2b directory. Is there a way to take the hostname and make it part of the inputs?
So monitor:.../apps/oracle/install/admin/instances/REGEXFORHOSTNAME/myfile?
I begin to see the difficulty. I haven't tried this - perhaps you have already - but would something like this work?
/apps/oracle/install/admin/instances/${hostname}*
You just need a common environment variable that returns the hostname...
That's what I'm looking for... I'll try it. Wasn't sure which variables that are allowed in stanza's....
You can use wildcards in the path. E.g. /apps/oracle/install/admin/instances/*/myfile
For a look at a variety of input types, including this one, check out Log File Analysis for Oracle 11g on the apps.splunk.com web site.
I don't think wildcards will work in this case, if I want to use only one input. Looking for hostname variable or something like that...
I use wildcards for similar situations. For instance, I pick up alert log files for Oracle with something like this:
monitor:///apps/oracle/diag/rdbms/*/*/trace/alert*.log
This picks up all alert logs on the system for every database, including any that I might add in the future, with one input. In your case I would think something like this would work:
/apps/oracle/install/admin/instances/ovdpmmk*
That won't work because there are 4 directories of ovdpmmk on each server, and I only want the one that matches the hostname. So, if the hostname is ovdpmmk1, I want that one, if it's ovdpmmk2, I want ovdpmmk2....
Does this still apply? Pretty old...seems like a similar situation.
http://blogs.splunk.com/2009/07/09/monitoring-input-files-with-a-white-list/