Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to monitor a log file on UNIX where file n...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rohithmn3
New Member
04-20-2017
09:43 PM
Hi Team,
My file name looks like below:
SASMeta_MetadataServer_2017-04-21_auq4066l_9175164.log
<-----constant------->_<cur-date>_<host>_<PID>.log
How shall i monitor this file content, it's a rotating file and each day a new file gets created..!
inputs.conf
[monitor:///var/logs/system/local]
whitelist =
What would be the whitelist for the above filename..!?
Please help here.
Regards,
Rohith
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dineshraj9
Builder
04-20-2017
10:19 PM
You could configure the inputs this way -
[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log]
index = index_name
sourcetype = sourcetype_name
crcSalt=<SOURCE>
So any log file which starts with "SASMeta_MetadataServer_" will be read.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dineshraj9
Builder
04-20-2017
10:19 PM
You could configure the inputs this way -
[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log]
index = index_name
sourcetype = sourcetype_name
crcSalt=<SOURCE>
So any log file which starts with "SASMeta_MetadataServer_" will be read.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rohithmn3
New Member
04-20-2017
10:44 PM
Hi Dinesh,
This monitor all files that starts with SASMeta_MetadataServer_*. In the above path there are multiple files and all starts with the same. So i don't want to monitor all. Is there a way i can only monitor the latest file..!?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dineshraj9
Builder
04-20-2017
10:47 PM
Hi Rohith,
You could add an ignoreOlderThan setting in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf
[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log]
index = index_name
sourcetype = sourcetype_name
crcSalt=<SOURCE>
ignoreOlderThan = 2d
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
