Getting Data In

How to monitor .lst files

dantimola
Communicator

Hi Splunkers,

Good day. Would like to ask regarding monitoring .lst, for your insight, .lst files are files oracle logs pulled from the server. When I'm trying the traditional way of monitoring logs (inputs.conf configuration), our Splunk is not reading the files unless otherwise renames as .log. Please see details:

**inputs.conf**
[monitor:///home/oracle/LAR/*.lst]
disabled = 0
index = oracledb

Sample data
alt text

0 Karma
1 Solution

dantimola
Communicator

Resolved the issue by adding _whitelist = \.lst$ in the inputs.conf

View solution in original post

0 Karma

dantimola
Communicator

Resolved the issue by adding _whitelist = \.lst$ in the inputs.conf

0 Karma

adonio
Ultra Champion

hello there,

can you try and use the GUI to upload the file and see how it looks like?
navigate to settings - > add data -> upload -> go from there.
you might need to copy the .lst file to your desktop

hope it helps

0 Karma

dantimola
Communicator

Tried it also, it is indeed working, however, our client wants to use the Splunk Universal Forwarder installed on that server instead of uploading it to our Splunk manually which is the right way. Thanks for the answer by the way 🙂

0 Karma

adonio
Ultra Champion

you are welcome,
it is very odd that the forwarder does not pick it up. when you bring the data using a Universal Forwarder and the monitor stanza, do you see text or gibrish?
btw, you can install a full splunk instance and have it monitor and send data - Heavy Forwarder.
let me know so we can solve it

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...