Getting Data In
Highlighted

How to configure IP range in inputs.conf on heavy forwarder

Explorer

I have logs coming to a heavy forwarder being stored under directories based on IPs (i.e. " /var/log/remote/192.168.1.6"

How do I use inputs.conf to capture a range of IPs while setting the index and sourcetype? This doesn't work:

[monitor:///var/log/remote/192.168.1.*/*.log]
 host_segment=4
 sourcetype=bar
 index=foo
Highlighted

Re: How to configure IP range in inputs.conf on heavy forwarder

Explorer

To elaborate further, what I'm trying to do is tag all directories with IP names with the same index and sourcetype before being forwarded to my indexers. So:

/var/log/remote/192.168.1./.log

The below did not work:

[monitor:///var/log/remote/192.168.1./.log]
host_segment=4
sourcetype=bar
index=foo

0 Karma
Highlighted

Re: How to configure IP range in inputs.conf on heavy forwarder

Path Finder

Do you recieve any messages in the web console?

0 Karma
Highlighted

Re: How to configure IP range in inputs.conf on heavy forwarder

Path Finder

Do you get any error messages in the console`?

0 Karma
Highlighted

Re: How to configure IP range in inputs.conf on heavy forwarder

SplunkTrust
SplunkTrust

What you want is probably something like this. You want to do a recursive monitor. To be able to do this, you'll need a whitelist for it. I can't test it right now because I don't have any hosts stored as ip address file names. 😞

[monitor:///var/log/remote/.../*.log]
host_segment=4
sourcetype=bar
index=foo
whitelist = your ip address regex

Put in your IP address regex here, for example:

whitelist = (\/var\/log\/remote\/192\.168\.1.)

Depending on which IP addresses you want to monitor.

Skalli

0 Karma