Getting Data In

How do I edit my inputs.conf monitor stanzas with wildcards to only monitor two types of logs?

Communicator

Hi everyone, I have 3 folders called: www1, www2, www3, and I would like to get only 2 types of logs:

security.log and access.log.

I did something like that:

[monitor:///opt/log/www*/access.log] 
sourcetype=linux_secure
host_segment=3 host=www*
index=web 

[monitor:///opt/log/www*/secure.log] 
host_segment=3 
host=www* 
index=main 

But it's not obviously working, how can I correct this?

0 Karma

Champion

what are you doing with host=www*. You're already telling splunk to assign the host value from the 3rd segment of the log path...

0 Karma

Communicator

It wasn't working, so I write again host=www*, to try...

0 Karma

Motivator

try this:

[monitor:///opt/log/www*/access.log]
sourcetype=accesscombined
host
segment=3
index=web

[monitor:///opt/log/www*/secure.log]
sourcetype=linuxsecure
host
segment=3

index=main

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

Communicator

whitelist=security.log$|access.log$, do you think I can monitor these using regular expressions?

0 Karma