Re: How to monitor two paths in the inputs.conf un...

Splunkster45 · ‎06-26-2015

In my inputs.conf file, I have an entry for a sourcetype that I want to change.

Currently, it monitors the path: /opt/A_*/B/C/Logs/Splunk/*.log.
I would also like to monitor the path: /opt/A_*/B/D/Logs/Splunk/*.log.

At first I thought that I could do this: /opt/A_*/B/*/Logs/Splunk/*.log, but there is a folder that I do not want to be ingested into splunk under this sourcetype: /opt/A_*/B/E/Logs/Splunk/*.log (There's actually multiple files that I do not want to ingest, some of which have not been created yet).

Whats the best way to (only) monitor /opt/A_*/B/C/Logs/Splunk/*.log and /opt/A_*/B/D/Logs/Splunk/*.log?

Thanks

fdi01 · ‎06-27-2015

try like:

 [monitor:///opt/A_*/B/C/Logs/Splunk/*.log  ]
  disabled = false
  index = your_index_name
  sourcetype = your_sourcetype_name

 [monitor:///opt/A_*/B/D/Logs/Splunk/*.log ]
  disabled = false
  index = your_index_name
  sourcetype = your_sourcetype_name

woodcock · ‎06-26-2015

You have 2 options: use blacklist and whitelist configurations in your inputs.conf file (that is what I would do) OR, have splunk monitor a different directly and run a cron job to create links in that directory that point back to the files in the original directory but only for the files that you would like to forward.

http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/inputsconf

Splunkster45 · ‎06-26-2015

so, you mean something like this:

[monitor:///opt/A_*/B/.../Logs/Splunk/*.log]
whitelist= \/opt\/A_*/B/(C|D)\/Logs\/Splunk\/*.log
index=a
sourcetype=b

woodcock · ‎07-06-2015

The markdown chewed up your formatting so I cannot tell what you meant; Edit it again and put 4 spaces in front of each of your code lines and markdown will not modify it.

How to monitor two paths in the inputs.conf under one sourcetype

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!