In my inputs.conf file, I have an entry for a sourcetype that I want to change.
Currently, it monitors the path: /opt/A_*/B/C/Logs/Splunk/*.log
.
I would also like to monitor the path: /opt/A_*/B/D/Logs/Splunk/*.log
.
At first I thought that I could do this: /opt/A_*/B/*/Logs/Splunk/*.log
, but there is a folder that I do not want to be ingested into splunk under this sourcetype: /opt/A_*/B/E/Logs/Splunk/*.log
(There's actually multiple files that I do not want to ingest, some of which have not been created yet).
Whats the best way to (only) monitor /opt/A_*/B/C/Logs/Splunk/*.log
and /opt/A_*/B/D/Logs/Splunk/*.log
?
Thanks
try like:
[monitor:///opt/A_*/B/C/Logs/Splunk/*.log ]
disabled = false
index = your_index_name
sourcetype = your_sourcetype_name
[monitor:///opt/A_*/B/D/Logs/Splunk/*.log ]
disabled = false
index = your_index_name
sourcetype = your_sourcetype_name
You have 2 options: use blacklist
and whitelist
configurations in your inputs.conf
file (that is what I would do) OR, have splunk monitor a different directly and run a cron job to create links in that directory that point back to the files in the original directory but only for the files that you would like to forward.
http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/inputsconf
so, you mean something like this:
[monitor:///opt/A_*/B/.../Logs/Splunk/*.log]
whitelist= \/opt\/A_*/B/(C|D)\/Logs\/Splunk\/*.log
index=a
sourcetype=b
The markdown
chewed up your formatting so I cannot tell what you meant; Edit it again and put 4 spaces in front of each of your code lines and markdown
will not modify it.