Re: How to configure IP range in inputs.conf on he...

nzarzyckivs · ‎10-09-2018

I have logs coming to a heavy forwarder being stored under directories based on IPs (i.e. " /var/log/remote/192.168.1.6"

How do I use inputs.conf to capture a range of IPs while setting the index and sourcetype? This doesn't work:

[monitor:///var/log/remote/192.168.1.*/*.log]
 host_segment=4
 sourcetype=bar
 index=foo

skalliger · ‎11-06-2018

What you want is probably something like this. You want to do a recursive monitor. To be able to do this, you'll need a whitelist for it. I can't test it right now because I don't have any hosts stored as ip address file names. 😞

[monitor:///var/log/remote/.../*.log]
host_segment=4
sourcetype=bar
index=foo
whitelist = your ip address regex

Put in your IP address regex here, for example:

whitelist = (\/var\/log\/remote\/192\.168\.1.)

Depending on which IP addresses you want to monitor.

Skalli

Anonymous · ‎11-06-2018

Do you get any error messages in the console`?

nzarzyckivs · ‎10-09-2018

To elaborate further, what I'm trying to do is tag all directories with IP names with the same index and sourcetype before being forwarded to my indexers. So:

/var/log/remote/192.168.1./.log

The below did not work:

[monitor:///var/log/remote/192.168.1*./*.log]
host_segment=4
sourcetype=bar
index=foo

Anonymous · ‎11-06-2018

Do you recieve any messages in the web console?

How to configure IP range in inputs.conf on heavy forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation