Getting Data In

How to configure inputs.conf to setup two separate monitoring rules?

New Member

I have these 2 group:

sourcetype = server_log
index = myindex

sourcetype = server_log
index = anothterindex

list monitor only show:

REST API (8089) show:
parent /pack/jboss/server/staging_xxx/log/server.log
type Did not match partial whitelist '^/pack/jboss/server/edu01_[^/]*/log/server.log$'.

I looks like it's using the same rule for both. I want to separate these rules.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

The problem you're having is that a wildcard in the path specification of a monitor: stanza is implemented on the backend of a monitor: of the longest fixed path, and a whitelist = * regex to match the specific entries according to the original monitor: stanza. This means that the monitor stanza for "/pack/jboss/server/staging_xxx/log/server.log" is a descendent of the (implicit) rule: "/pack/jboss/server" (with whitelist...). If the list of edu_ subdirs is not large, you could iterate each.

You could also try this. Explicitly monitor the top-level directory, and include a whitelist to match the subpaths.

whitelist = (edu_.*|staging_xxx)/log/server.log
sourcetype = server_log

OMIT the sourcetype, but add a props.conf to include a source-based rule:

index = foo
index = bar

(I haven't tested this particular example, but I've done things like this in the past.)

0 Karma

New Member


We are using a managed Splunk and I think it's not possible to use props.conf in the Universal Splunk Forwarder.

Any other solutions?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!