Hi Team,
My file name looks like below:
SASMeta_MetadataServer_2017-04-21_auq4066l_9175164.log
<-----constant------->_<cur-date>_<host>_<PID>.log
How shall i monitor this file content, it's a rotating file and each day a new file gets created..!
inputs.conf
[monitor:///var/logs/system/local]
whitelist =
What would be the whitelist for the above filename..!?
Please help here.
Regards,
Rohith
You could configure the inputs this way -
[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log]
index = index_name
sourcetype = sourcetype_name
crcSalt=<SOURCE>
So any log file which starts with "SASMeta_MetadataServer_" will be read.
You could configure the inputs this way -
[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log]
index = index_name
sourcetype = sourcetype_name
crcSalt=<SOURCE>
So any log file which starts with "SASMeta_MetadataServer_" will be read.
Hi Dinesh,
This monitor all files that starts with SASMeta_MetadataServer_*. In the above path there are multiple files and all starts with the same. So i don't want to monitor all. Is there a way i can only monitor the latest file..!?
Hi Rohith,
You could add an ignoreOlderThan setting in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf
[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log]
index = index_name
sourcetype = sourcetype_name
crcSalt=<SOURCE>
ignoreOlderThan = 2d