Getting Data In

How to monitor a log file on UNIX where file name has date and PID which which are not static all the time.?

rohithmn3
New Member

Hi Team,

My file name looks like below:

SASMeta_MetadataServer_2017-04-21_auq4066l_9175164.log
<-----constant------->_<cur-date>_<host>_<PID>.log

How shall i monitor this file content, it's a rotating file and each day a new file gets created..!

inputs.conf

[monitor:///var/logs/system/local]
whitelist = 

What would be the whitelist for the above filename..!?
Please help here.

Regards,
Rohith

0 Karma
1 Solution

dineshraj9
Builder

You could configure the inputs this way -

[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log] 
index = index_name 
sourcetype = sourcetype_name
crcSalt=<SOURCE>

So any log file which starts with "SASMeta_MetadataServer_" will be read.

View solution in original post

0 Karma

dineshraj9
Builder

You could configure the inputs this way -

[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log] 
index = index_name 
sourcetype = sourcetype_name
crcSalt=<SOURCE>

So any log file which starts with "SASMeta_MetadataServer_" will be read.

0 Karma

rohithmn3
New Member

Hi Dinesh,

This monitor all files that starts with SASMeta_MetadataServer_*. In the above path there are multiple files and all starts with the same. So i don't want to monitor all. Is there a way i can only monitor the latest file..!?

0 Karma

dineshraj9
Builder

Hi Rohith,

You could add an ignoreOlderThan setting in inputs.conf.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf

[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log] 
index = index_name 
sourcetype = sourcetype_name
crcSalt=<SOURCE>
ignoreOlderThan = 2d
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...