Re: How to configure inputs.conf to monitor files ...

chandra61446 · ‎04-20-2016

I have file called console.log. When its size reaches to 512MB, another file gets created with the name console_server_01.log. When this reaches to 512 MB, another file is created with name console_server_02.log and so on.

I would like to configure inputs.conf for all source files like console* so that Splunk automatically fetches data from the latest file.

How to do that?

jplumsdaine22 · ‎04-20-2016

If you have control over the process thats writing the logs I would recommend that you have the most recent file be called console.log, and call the rolled files console.log.1 etc. Have a look at the logrotate command.

Otherwise, set up your inputs.conf stanza like so:

[monitor:///path/to/console.*log]

This will ensure that all the console.logs are monitored. Note that if you have a header in the log file you may run into problems with the crc checking - ie Splunk won't know that the files are different. If that happens, and you will never reuse the filenames you could set

crcSalt=<SOURCE>

Have a look at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

ktugwell_splunk · ‎04-20-2016

Hi chandra,

All you need to do is monitor the directory those files are located in and whitelist the files

You can do all this through the SplunkWeb GUI or through conf files. Here's an example of what your inputs.conf should look like:

[monitor:///your_directory]
host = hostname
sourcetype = your_sourcetype
index = your_index
whitelist = console.*\.log

Heres the latest inputs.conf doc:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Thanks

How to configure inputs.conf to monitor files which get created automatically after reaching a certain size?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM