Getting Data In

How do I edit my inputs.conf monitor stanzas with wildcards to only monitor two types of logs?

Federica_92
Communicator

Hi everyone, I have 3 folders called: www1, www2, www3, and I would like to get only 2 types of logs:

security.log and access.log.

I did something like that:

[monitor:///opt/log/www*/access.log] 
sourcetype=linux_secure
host_segment=3 host=www*
index=web 

[monitor:///opt/log/www*/secure.log] 
host_segment=3 
host=www* 
index=main 

But it's not obviously working, how can I correct this?

0 Karma

maciep
Champion

what are you doing with host=www*. You're already telling splunk to assign the host value from the 3rd segment of the log path...

0 Karma

Federica_92
Communicator

It wasn't working, so I write again host=www*, to try...

0 Karma

diogofgm
SplunkTrust
SplunkTrust

try this:

[monitor:///opt/log/www*/access.log]
sourcetype=access_combined
host_segment=3
index=web

[monitor:///opt/log/www*/secure.log]
sourcetype=linux_secure
host_segment=3

index=main

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

Federica_92
Communicator

whitelist=security.log$|access.log$, do you think I can monitor these using regular expressions?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...