Getting Data In

Help with monitoring stanza

vrmandadi
Builder

Below are the files to monitor

/Backup/HealthCheck/Reports/Auto_HC_Mar_19_19_08_26_25.log
/Backup/HealthCheck/Reports/CBA_HC_Mar_19_19_08_27_03.log

Below is the stanza I am using

[monitor:///Backup/HealthCheck/Reports/*.log]

Is this the correct monitor stanza or am I doing something wrong?

0 Karma

woodcock
Esteemed Legend

The stanza is correct but did you assign a sourcetype=foo and index=bar under it so that you know where to look for the data?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If that stanza results in those files being monitored, then the stanza is correct. If the files are not monitored, then something is amiss and you should share the entire stanza.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

vrmandadi
Builder

[monitor:///Backup/HealthCheck/Reports/*.log]
index = main
sourcetype = db_health

The above stanza is from the deployment server and below is the event from the internal logs for that host

03-19-2019 14:01:47.251 -0400 INFO WatchedFile - Will begin reading at offset=522894 for file='/var/log/cbsensor/cbdaemon.ORCLPRODSS1-AZ3.invalid-user.log.INFO.20190318-103119.10963

0 Karma

ddrillic
Ultra Champion

Oh, you should look for something like -

-- 03-16-2019 23:00:00.089 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/Backup/HealthCheck/Reports/CBA_HC_Mar_19_19_08_27_03.log'.

Your monitor stanza looks just fine.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!