Re: How do I "watch" a specific log file and only ...

sdickson · ‎07-26-2011

I need to watch log files for certain error strings only. Ideally this would be done on the machine that contains the file to be monitored, so I am assuming that each machine that contains monitored files would need to be configured as a forwarder, but this is where I begin to get lost. I am a newbie to splunk so please forgive my novice question. Can anyone tell me what files need to be altered on the forwarder to filter and forward the strings? I do have this configured so that everytime the log file is altered it updates the reciever.

Brian_Osburn · ‎07-27-2011

The high level answer would be to edit the inputs.conf file on the forwarder to point it to the right files.

See http://www.splunk.com/base/Documentation/4.2.2/Data/Usingforwardingagents which will explain how to set up forwarding.

That will set up the file for forwarding.

The second part of your question around only indexing specific strings can be answered in two ways. First, the easiest method is to just index the entire file, and then just set up a search to alert on your error messages.

The second option is if you want to just index the strings you want. You will need to set up a transforms.conf to use the sed-cmd to keep only the strings that match your regex. You can see more at http://www.splunk.com/base/Documentation/4.2.2/Admin/Propsconf

Also, might want to check out the nullqueue http://www.splunk.com/base/Documentation/4.2.2/Deploy/Routeandfilterdatad (thanks DuckFez!)

The second option is a little more complicated then the first option.

How do I "watch" a specific log file and only send updates based on specific strings?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases