Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to monitor two paths in the inputs.conf under ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to monitor two paths in the inputs.conf under one sourcetype
Splunkster45
Communicator
06-26-2015
07:17 AM
In my inputs.conf file, I have an entry for a sourcetype that I want to change.
Currently, it monitors the path: /opt/A_*/B/C/Logs/Splunk/*.log.
I would also like to monitor the path: /opt/A_*/B/D/Logs/Splunk/*.log.
At first I thought that I could do this: /opt/A_*/B/*/Logs/Splunk/*.log, but there is a folder that I do not want to be ingested into splunk under this sourcetype: /opt/A_*/B/E/Logs/Splunk/*.log (There's actually multiple files that I do not want to ingest, some of which have not been created yet).
Whats the best way to (only) monitor /opt/A_*/B/C/Logs/Splunk/*.log and /opt/A_*/B/D/Logs/Splunk/*.log?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fdi01
Motivator
06-27-2015
02:34 PM
try like:
[monitor:///opt/A_*/B/C/Logs/Splunk/*.log ]
disabled = false
index = your_index_name
sourcetype = your_sourcetype_name
[monitor:///opt/A_*/B/D/Logs/Splunk/*.log ]
disabled = false
index = your_index_name
sourcetype = your_sourcetype_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-26-2015
07:55 AM
You have 2 options: use blacklist and whitelist configurations in your inputs.conf file (that is what I would do) OR, have splunk monitor a different directly and run a cron job to create links in that directory that point back to the files in the original directory but only for the files that you would like to forward.
http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkster45
Communicator
06-26-2015
09:08 AM
so, you mean something like this:
[monitor:///opt/A_*/B/.../Logs/Splunk/*.log]
whitelist= \/opt\/A_*/B/(C|D)\/Logs\/Splunk\/*.log
index=a
sourcetype=b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-06-2015
10:09 PM
The markdown chewed up your formatting so I cannot tell what you meant; Edit it again and put 4 spaces in front of each of your code lines and markdown will not modify it.
Get Updates on the Splunk Community!
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
