Solved: How do I specify which sources should be indexed f...

rwiltzius · ‎12-01-2015

Hello,

Please bear with me because I'm new to Splunk and I've only just started using it today. Also note that I am currently running their trial and have not purchased anything yet.

I am looking to index the Application logs from our PeopleSoft server, which are stored as APPSRV_*.LOG on the PeopleSoft server. A new log file is created for each day and the format is APPSRV_MMDD.LOG. Within the directory that the APPSRV logs are stored are other files that are of no interest to me at the moment.

I currently have my data input setup as a UNC path to the directory, but I don't know how to only allow indexing on the APPSRV_MMDD.LOGs and not the others. Is there a way to index only certain file names by using a wildcard and not others, or must I index the entire directory? Please let me know if you have any questions.

Thank you,

Robert

sundareshr · ‎12-01-2015

See if this gets you what you are looking for http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Specifyinputpathswithwildcards

Basically, you will have something like [monitor:///APPSRV_*.log]

View solution in original post

sundareshr · ‎12-01-2015

See if this gets you what you are looking for http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Specifyinputpathswithwildcards

Basically, you will have something like [monitor:///APPSRV_*.log]

How do I specify which sources should be indexed from data inputs and not the entire directory?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?