Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I "watch" a specific log file and only send updates based on specific strings?

sdickson
New Member
‎07-26-2011 04:00 PM

I need to watch log files for certain error strings only. Ideally this would be done on the machine that contains the file to be monitored, so I am assuming that each machine that contains monitored files would need to be configured as a forwarder, but this is where I begin to get lost. I am a newbie to splunk so please forgive my novice question. Can anyone tell me what files need to be altered on the forwarder to filter and forward the strings? I do have this configured so that everytime the log file is altered it updates the reciever.

Tags (2)
0 Karma
Reply

Brian_Osburn
Builder
‎07-27-2011 06:58 AM

The high level answer would be to edit the inputs.conf file on the forwarder to point it to the right files.

See http://www.splunk.com/base/Documentation/4.2.2/Data/Usingforwardingagents which will explain how to set up forwarding.

That will set up the file for forwarding.

The second part of your question around only indexing specific strings can be answered in two ways. First, the easiest method is to just index the entire file, and then just set up a search to alert on your error messages.

The second option is if you want to just index the strings you want. You will need to set up a transforms.conf to use the sed-cmd to keep only the strings that match your regex. You can see more at http://www.splunk.com/base/Documentation/4.2.2/Admin/Propsconf

Also, might want to check out the nullqueue http://www.splunk.com/base/Documentation/4.2.2/Deploy/Routeandfilterdatad (thanks DuckFez!)

The second option is a little more complicated then the first option.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...