Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to monitor two paths in the inputs.conf under ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to monitor two paths in the inputs.conf under one sourcetype
Splunkster45
Communicator
06-26-2015
07:17 AM
In my inputs.conf file, I have an entry for a sourcetype that I want to change.
Currently, it monitors the path: /opt/A_*/B/C/Logs/Splunk/*.log.
I would also like to monitor the path: /opt/A_*/B/D/Logs/Splunk/*.log.
At first I thought that I could do this: /opt/A_*/B/*/Logs/Splunk/*.log, but there is a folder that I do not want to be ingested into splunk under this sourcetype: /opt/A_*/B/E/Logs/Splunk/*.log (There's actually multiple files that I do not want to ingest, some of which have not been created yet).
Whats the best way to (only) monitor /opt/A_*/B/C/Logs/Splunk/*.log and /opt/A_*/B/D/Logs/Splunk/*.log?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fdi01
Motivator
06-27-2015
02:34 PM
try like:
[monitor:///opt/A_*/B/C/Logs/Splunk/*.log ]
disabled = false
index = your_index_name
sourcetype = your_sourcetype_name
[monitor:///opt/A_*/B/D/Logs/Splunk/*.log ]
disabled = false
index = your_index_name
sourcetype = your_sourcetype_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-26-2015
07:55 AM
You have 2 options: use blacklist and whitelist configurations in your inputs.conf file (that is what I would do) OR, have splunk monitor a different directly and run a cron job to create links in that directory that point back to the files in the original directory but only for the files that you would like to forward.
http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkster45
Communicator
06-26-2015
09:08 AM
so, you mean something like this:
[monitor:///opt/A_*/B/.../Logs/Splunk/*.log]
whitelist= \/opt\/A_*/B/(C|D)\/Logs\/Splunk\/*.log
index=a
sourcetype=b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-06-2015
10:09 PM
The markdown chewed up your formatting so I cannot tell what you meant; Edit it again and put 4 spaces in front of each of your code lines and markdown will not modify it.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
