Getting Data In

How do I edit my inputs.conf monitor stanzas with wildcards to only monitor two types of logs?

Federica_92
Communicator

Hi everyone, I have 3 folders called: www1, www2, www3, and I would like to get only 2 types of logs:

security.log and access.log.

I did something like that:

[monitor:///opt/log/www*/access.log] 
sourcetype=linux_secure
host_segment=3 host=www*
index=web 

[monitor:///opt/log/www*/secure.log] 
host_segment=3 
host=www* 
index=main 

But it's not obviously working, how can I correct this?

0 Karma

maciep
Champion

what are you doing with host=www*. You're already telling splunk to assign the host value from the 3rd segment of the log path...

0 Karma

Federica_92
Communicator

It wasn't working, so I write again host=www*, to try...

0 Karma

diogofgm
SplunkTrust
SplunkTrust

try this:

[monitor:///opt/log/www*/access.log]
sourcetype=access_combined
host_segment=3
index=web

[monitor:///opt/log/www*/secure.log]
sourcetype=linux_secure
host_segment=3

index=main

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

Federica_92
Communicator

whitelist=security.log$|access.log$, do you think I can monitor these using regular expressions?

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...