Getting Data In
Highlighted

How to add custom log file to splunk universal forwarder?

Engager

How to add custom log file to splunk universal forwarder?

I have an application which generate the log. I need to add this log file to splunk universal forwarder. So that it could be monitored by indexer.

Thanks,
Tirumal

0 Karma
Highlighted

Re: How to add custom log file to splunk universal forwarder?

Splunk Employee
Splunk Employee

This is done in the inputs.conf file.

On the forwarder, edit $SPLUNK_HOME/etc/system/local/inputs.conf (create the file if it does not exist, but ensure the owner and group is the same user Splunk runs as on that system). Add a section like this:

[monitor:///path/to/your/app/log/directory]
disabled = false
sourcetype = yoursourcetypehere
index = yourappindexhere

Change the path to the appropriate directory for your application logs. Also, name the sourcetype with the name as you want it to appear in Splunk as the sourcetype, such as the name of your application - which would allow you to provide these logs from multiple systems for the same type of application with them all as the same sourcetype. If you want it to go into its own index, specify the name of the index, which must be created on the indexer, on that line. If you want the data to go into the default index, remove or comment out that line.

If you want to specify a specific name format for the log file in a directory full of other files, then add this line to the above stanza, as well:

whitelist = *.log

(Or whatever regex you need to match your filename pattern like myapp*.log.)

View solution in original post

Highlighted

Re: How to add custom log file to splunk universal forwarder?

Engager

Thank you jtrucks. Its working

0 Karma
Highlighted

Re: How to add custom log file to splunk universal forwarder?

Explorer

".log" is not a valid regular expression because "" is a quantifier and must be preceded by a pattern.

"myapp*.log" is a valid regular expression, but it probably doesn't match the way you want. It literally reads as
(anything, "myap", zero or more "p" characters, ANY character, "log", anything)

The regular expression you probably want is

\.log$

which reads as
(anything, literal ".", "log", end of line)

or

^myapp\.log$

which reads as
(beginning of line, "myapp", literal ".", "log", end of line)

0 Karma
Highlighted

Re: How to add custom log file to splunk universal forwarder?

Communicator

Should this source type already exist in indexer? Or can it be a new one?

0 Karma