Re: How to configure IP range in inputs.conf on he...

nzarzyckivs · ‎10-09-2018

I have logs coming to a heavy forwarder being stored under directories based on IPs (i.e. " /var/log/remote/192.168.1.6"

How do I use inputs.conf to capture a range of IPs while setting the index and sourcetype? This doesn't work:

[monitor:///var/log/remote/192.168.1.*/*.log]
 host_segment=4
 sourcetype=bar
 index=foo

skalliger · ‎11-06-2018

What you want is probably something like this. You want to do a recursive monitor. To be able to do this, you'll need a whitelist for it. I can't test it right now because I don't have any hosts stored as ip address file names. 😞

[monitor:///var/log/remote/.../*.log]
host_segment=4
sourcetype=bar
index=foo
whitelist = your ip address regex

Put in your IP address regex here, for example:

whitelist = (\/var\/log\/remote\/192\.168\.1.)

Depending on which IP addresses you want to monitor.

Skalli

Anonymous · ‎11-06-2018

Do you get any error messages in the console`?

nzarzyckivs · ‎10-09-2018

To elaborate further, what I'm trying to do is tag all directories with IP names with the same index and sourcetype before being forwarded to my indexers. So:

/var/log/remote/192.168.1./.log

The below did not work:

[monitor:///var/log/remote/192.168.1*./*.log]
host_segment=4
sourcetype=bar
index=foo

Anonymous · ‎11-06-2018

Do you recieve any messages in the web console?

How to configure IP range in inputs.conf on heavy forwarder

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life