Re: How to configure IP range in inputs.conf on he...

nzarzyckivs · ‎10-09-2018

I have logs coming to a heavy forwarder being stored under directories based on IPs (i.e. " /var/log/remote/192.168.1.6"

How do I use inputs.conf to capture a range of IPs while setting the index and sourcetype? This doesn't work:

[monitor:///var/log/remote/192.168.1.*/*.log]
 host_segment=4
 sourcetype=bar
 index=foo

skalliger · ‎11-06-2018

What you want is probably something like this. You want to do a recursive monitor. To be able to do this, you'll need a whitelist for it. I can't test it right now because I don't have any hosts stored as ip address file names. 😞

[monitor:///var/log/remote/.../*.log]
host_segment=4
sourcetype=bar
index=foo
whitelist = your ip address regex

Put in your IP address regex here, for example:

whitelist = (\/var\/log\/remote\/192\.168\.1.)

Depending on which IP addresses you want to monitor.

Skalli

Anonymous · ‎11-06-2018

Do you get any error messages in the console`?

nzarzyckivs · ‎10-09-2018

To elaborate further, what I'm trying to do is tag all directories with IP names with the same index and sourcetype before being forwarded to my indexers. So:

/var/log/remote/192.168.1./.log

The below did not work:

[monitor:///var/log/remote/192.168.1*./*.log]
host_segment=4
sourcetype=bar
index=foo

Anonymous · ‎11-06-2018

Do you recieve any messages in the web console?

How to configure IP range in inputs.conf on heavy forwarder

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...