Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to monitor multiple unrelated directories

michaellightfoo
New Member
‎02-02-2020 08:49 PM

Using the universal forwarder I need to monitor multiple directories in separate parts of the filesystem.

Specifically (obfuscated so as not to identify our customer):
[monitor:///var/log]
[monitor:///home//logs]

It seems that multiple monitor stanzas are not working (at least our customer is reporting that the second monitor stanza is not forwarding any files to their Splunk instance.

Is there a workable solution?

0 Karma
Reply

michaellightfoo
New Member
‎02-05-2020 03:22 PM

I suspect that the problem is at the customer splunk end as I have run a tcpdump and can see the data from both monitors being sent to their instance. Unfortunately I do not have access to that splunk instance so I cannot verify anything.

I will mention that they might need to check that they are ingesting the timestamps correctly.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-03-2020 12:10 AM

Hi michaellightfoot,
the best approach to monitor many different folders is to plan the ingestion before to start, in other words: use an Excel file to define monitoring perimeter: all the hosts to monitor and, for each server, the folders to ingest.
In this way you can create your own inputs.conf that permits to ingest all the logs you want.

To debug eventual not ingested logs you have to map the monitoring perimeter with the logs you're receiving so you can define which are the missing folders.
At this point you have to see one by one each folder to understand if there are logs to ingest or not.
In this way you can limit the folders to check.

At first check file permissions: maybe the user you're using to run Splunk Universal Forwarder hasn't read grants on that folder or files.
Then check the time format of your logs: maybe the logs have time format dd/mm/yyyy and by default Splunk uses the time format mm/dd/yyyy, so you ingested logs, but instead to have as timestamp 3rd of february they have 2nd of march.

Lety me know if in this way you solved.

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...