Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure inputs.conf to setup two separate monitoring rules?

khuongdp
New Member
‎10-21-2014 07:19 AM

I have these 2 group:

[monitor:///pack/jboss/server/edu01_*/logs/server.log]
sourcetype = server_log
index = myindex

[monitor:///pack/jboss/server/staging_xxx/log/server.log]
sourcetype = server_log
index = anothterindex

list monitor only show:
/pack/jboss/server/edu01_xxx/logs/server.log
/pack/jboss/server/edu01_yyy/logs/server.log

REST API (8089) show:
parent /pack/jboss/server/staging_xxx/log/server.log
type Did not match partial whitelist '^/pack/jboss/server/edu01_[^/]*/log/server.log$'.

I looks like it's using the same rule for both. I want to separate these rules.

Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-21-2014 04:52 PM

The problem you're having is that a wildcard in the path specification of a monitor: stanza is implemented on the backend of a monitor: of the longest fixed path, and a whitelist = * regex to match the specific entries according to the original monitor: stanza. This means that the monitor stanza for "/pack/jboss/server/staging_xxx/log/server.log" is a descendent of the (implicit) rule: "/pack/jboss/server" (with whitelist...). If the list of edu_ subdirs is not large, you could iterate each.

You could also try this. Explicitly monitor the top-level directory, and include a whitelist to match the subpaths.

[monitor:///pack/jboss/server]
whitelist = (edu_.*|staging_xxx)/log/server.log
sourcetype = server_log

OMIT the sourcetype, but add a props.conf to include a source-based rule:

[source::///pack/jboss/server/staging_xxx/log/server.log]
index = foo

[source::///pack/jboss/server/edu_.*/log/server.log]
index = bar

(I haven't tested this particular example, but I've done things like this in the past.)

0 Karma
Reply

khuongdp
New Member
‎10-22-2014 12:07 AM

Hi

We are using a managed Splunk and I think it's not possible to use props.conf in the Universal Splunk Forwarder. http://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html

Any other solutions?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top