How to Watch Multiple Log Files with Similar Names...

yourknightmares · ‎12-06-2021

Hi, I'm setting up Splunk Universal Forwarder to watch logs generated from an application I have in AWS Elastic Beanstalk. This is done by running shell script installing the Universal Forwarder and setting up monitors.

Simple enough. The problem is my application logs into a rolling file, meaning after a certain amount of data has been entered into the file (10MB in this example) it then creates a new file in the same location named "example 1.log" then "example 2.log", etc.

Currently I've tried using the below command to set up all the monitors with no success:

/opt/splunkforwarder/bin/splunk add monitor "/var/logs/example*"

How can I capture all the files it will create?

manjunathmeti · ‎12-06-2021

What is the issue? Are you getting duplicate data or no data at all?

yourknightmares · ‎12-07-2021

No data at all

How to Watch Multiple Log Files with Similar Names with Universal Forwarder

Linux

monitor

scripted input

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation