Getting Data In

How to monitor two paths in the inputs.conf under one sourcetype

Splunkster45
Communicator

In my inputs.conf file, I have an entry for a sourcetype that I want to change.

Currently, it monitors the path: /opt/A_*/B/C/Logs/Splunk/*.log.
I would also like to monitor the path: /opt/A_*/B/D/Logs/Splunk/*.log.

At first I thought that I could do this: /opt/A_*/B/*/Logs/Splunk/*.log, but there is a folder that I do not want to be ingested into splunk under this sourcetype: /opt/A_*/B/E/Logs/Splunk/*.log (There's actually multiple files that I do not want to ingest, some of which have not been created yet).

Whats the best way to (only) monitor /opt/A_*/B/C/Logs/Splunk/*.log and /opt/A_*/B/D/Logs/Splunk/*.log?

Thanks

0 Karma

fdi01
Motivator

try like:

 [monitor:///opt/A_*/B/C/Logs/Splunk/*.log  ]
  disabled = false
  index = your_index_name
  sourcetype = your_sourcetype_name

 [monitor:///opt/A_*/B/D/Logs/Splunk/*.log ]
  disabled = false
  index = your_index_name
  sourcetype = your_sourcetype_name
0 Karma

woodcock
Esteemed Legend

You have 2 options: use blacklist and whitelist configurations in your inputs.conf file (that is what I would do) OR, have splunk monitor a different directly and run a cron job to create links in that directory that point back to the files in the original directory but only for the files that you would like to forward.

http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/inputsconf

0 Karma

Splunkster45
Communicator

so, you mean something like this:

[monitor:///opt/A_*/B/.../Logs/Splunk/*.log]
whitelist= \/opt\/A_*/B/(C|D)\/Logs\/Splunk\/*.log
index=a
sourcetype=b
0 Karma

woodcock
Esteemed Legend

The markdown chewed up your formatting so I cannot tell what you meant; Edit it again and put 4 spaces in front of each of your code lines and markdown will not modify it.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...