Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Help with input monitoring
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with input monitoring
Hi,
I need to monitor some logs where I need to wildcard part of the hostname into the path. Is that possible:
For example, I have:
/apps/oracle/install/admin/instances
/apps/oracle/install/admin/instances/ovdpmmk1a
/apps/oracle/install/admin/instances/ovdpmmk1b
/apps/oracle/install/admin/instances/ovdpmmk2a
/apps/oracle/install/admin/instances/ovdpmmk2b
/apps/oracle/install/admin/instances/ovdpmmk3a
/apps/oracle/install/admin/instances/ovdpmmk3b... (it keeps going)
The hostname is ovdpmmk1. On this server, I want to monitor certain files in the ovdpmmk1a and 1b directories. On the ovdpmmk2 server, I want to monitor certain files in the ovdpmmk2a and 2b directory. Is there a way to take the hostname and make it part of the inputs?
So monitor:.../apps/oracle/install/admin/instances/REGEXFORHOSTNAME/myfile?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I begin to see the difficulty. I haven't tried this - perhaps you have already - but would something like this work?
/apps/oracle/install/admin/instances/${hostname}*
You just need a common environment variable that returns the hostname...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's what I'm looking for... I'll try it. Wasn't sure which variables that are allowed in stanza's....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use wildcards in the path. E.g. /apps/oracle/install/admin/instances/*/myfile
For a look at a variety of input types, including this one, check out Log File Analysis for Oracle 11g on the apps.splunk.com web site.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think wildcards will work in this case, if I want to use only one input. Looking for hostname variable or something like that...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use wildcards for similar situations. For instance, I pick up alert log files for Oracle with something like this:
monitor:///apps/oracle/diag/rdbms/*/*/trace/alert*.log
This picks up all alert logs on the system for every database, including any that I might add in the future, with one input. In your case I would think something like this would work:
/apps/oracle/install/admin/instances/ovdpmmk*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That won't work because there are 4 directories of ovdpmmk on each server, and I only want the one that matches the hostname. So, if the hostname is ovdpmmk1, I want that one, if it's ovdpmmk2, I want ovdpmmk2....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this still apply? Pretty old...seems like a similar situation.
http://blogs.splunk.com/2009/07/09/monitoring-input-files-with-a-white-list/
The OpenTelemetry Certified Associate (OTCA) Exam
From Manual to Agentic: Level Up Your SOC at Cisco Live
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)
