In my inputs.conf file, I have an entry for a sourcetype that I want to change.
Currently, it monitors the path:
I would also like to monitor the path:
At first I thought that I could do this:
/opt/A_*/B/*/Logs/Splunk/*.log, but there is a folder that I do not want to be ingested into splunk under this sourcetype:
/opt/A_*/B/E/Logs/Splunk/*.log (There's actually multiple files that I do not want to ingest, some of which have not been created yet).
Whats the best way to (only) monitor
[monitor:///opt/A_*/B/C/Logs/Splunk/*.log ] disabled = false index = your_index_name sourcetype = your_sourcetype_name [monitor:///opt/A_*/B/D/Logs/Splunk/*.log ] disabled = false index = your_index_name sourcetype = your_sourcetype_name
You have 2 options: use
whitelist configurations in your
inputs.conf file (that is what I would do) OR, have splunk monitor a different directly and run a cron job to create links in that directory that point back to the files in the original directory but only for the files that you would like to forward.