Getting Data In

How to monitor two paths in the inputs.conf under one sourcetype

Splunkster45
Communicator

In my inputs.conf file, I have an entry for a sourcetype that I want to change.

Currently, it monitors the path: /opt/A_*/B/C/Logs/Splunk/*.log.
I would also like to monitor the path: /opt/A_*/B/D/Logs/Splunk/*.log.

At first I thought that I could do this: /opt/A_*/B/*/Logs/Splunk/*.log, but there is a folder that I do not want to be ingested into splunk under this sourcetype: /opt/A_*/B/E/Logs/Splunk/*.log (There's actually multiple files that I do not want to ingest, some of which have not been created yet).

Whats the best way to (only) monitor /opt/A_*/B/C/Logs/Splunk/*.log and /opt/A_*/B/D/Logs/Splunk/*.log?

Thanks

0 Karma

fdi01
Motivator

try like:

 [monitor:///opt/A_*/B/C/Logs/Splunk/*.log  ]
  disabled = false
  index = your_index_name
  sourcetype = your_sourcetype_name

 [monitor:///opt/A_*/B/D/Logs/Splunk/*.log ]
  disabled = false
  index = your_index_name
  sourcetype = your_sourcetype_name
0 Karma

woodcock
Esteemed Legend

You have 2 options: use blacklist and whitelist configurations in your inputs.conf file (that is what I would do) OR, have splunk monitor a different directly and run a cron job to create links in that directory that point back to the files in the original directory but only for the files that you would like to forward.

http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/inputsconf

0 Karma

Splunkster45
Communicator

so, you mean something like this:

[monitor:///opt/A_*/B/.../Logs/Splunk/*.log]
whitelist= \/opt\/A_*/B/(C|D)\/Logs\/Splunk\/*.log
index=a
sourcetype=b
0 Karma

woodcock
Esteemed Legend

The markdown chewed up your formatting so I cannot tell what you meant; Edit it again and put 4 spaces in front of each of your code lines and markdown will not modify it.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...