Getting Data In

How to properly configure inputs.conf on a shared server?

Contributor

Splunk forwarder 8.0.2 - All on Windows. Case is, we do have a server which, due to licensing issues of a product is shared for all preprod environments. Logs are structured like this

d:\logs\sites
     - Dev 
            - <sitename>
                   - messagelogs
                   - w3c
     - Test 
            - <sitename>
                   - messagelogs
                   - w3c
     - Qa
            - <sitename>
                   - messagelogs
                   - w3c

For each environment I have configured inputs.conf like this

[monitor://d:\logs\sites\dev\*\*Exceptions.log]

Replacing the name of the environment in every file. The rest of the stanza is fine, because the servers which are pr. environment has the same stanza, but omitting the name of the environment - like this

[monitor://d:\logs\sites\*\*Exceptions.log]

If I am not totally mistaken, the use of the wildcard is correct and means "One level, any name", compared to three dots '...' which means "any levels down until you find a match". Therefore the two example-stanzas should not 'collide' and also the inputs.conf for the other enviroments should also not cause an issue since they have their unique name in the path.

But still - no events logged from that server. Exept for - realzing now when writing this - that the stanzas

[monitor://C:\Windows\System32\LogFiles\HTTPERR\httperr*.log]
[monitor://d:\logs\powershell\*.log]

are identical in all inputs.conf, but it seems that the "first" index takes preference for that and indexes it to the dev-index. But still, cannot see that it could break the rest.

No errors logges when restarting the forwarder, not running the btool --debug (Just warnings found on all the other servers as well)

0 Karma