Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I "watch" a specific log file and only send updates based on specific strings?

sdickson
New Member
‎07-26-2011 04:00 PM

I need to watch log files for certain error strings only. Ideally this would be done on the machine that contains the file to be monitored, so I am assuming that each machine that contains monitored files would need to be configured as a forwarder, but this is where I begin to get lost. I am a newbie to splunk so please forgive my novice question. Can anyone tell me what files need to be altered on the forwarder to filter and forward the strings? I do have this configured so that everytime the log file is altered it updates the reciever.

Tags (2)
0 Karma
Reply

Brian_Osburn
Builder
‎07-27-2011 06:58 AM

The high level answer would be to edit the inputs.conf file on the forwarder to point it to the right files.

See http://www.splunk.com/base/Documentation/4.2.2/Data/Usingforwardingagents which will explain how to set up forwarding.

That will set up the file for forwarding.

The second part of your question around only indexing specific strings can be answered in two ways. First, the easiest method is to just index the entire file, and then just set up a search to alert on your error messages.

The second option is if you want to just index the strings you want. You will need to set up a transforms.conf to use the sed-cmd to keep only the strings that match your regex. You can see more at http://www.splunk.com/base/Documentation/4.2.2/Admin/Propsconf

Also, might want to check out the nullqueue http://www.splunk.com/base/Documentation/4.2.2/Deploy/Routeandfilterdatad (thanks DuckFez!)

The second option is a little more complicated then the first option.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...