Getting Data In
Highlighted

How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Motivator

Hi All, Can anyone guide us on how to create an input stanza to monitor a files through splunk. Need to monitor logs from application servers, that are running in both windows and Unix machine.

Logs to be monitored
Unix server:
/opt/IBM/middleware/userprojects/domains/Test/servers/TIMserver/logs/TIM_server.out*
/opt/IBM/middleware/userprojects/domains/Test/servers/TIMserver/logs/TIM_server-diag*.log

Windows server :
D:\ServerLog\ServerDaily-*.log

inputs.conf detail
[monitor:///opt/IBM/middleware/userprojects/domains/Test/servers/ITMserver/logs/.]
index=app
sourcetype=IBM:AUT:TAM
disabled = 0

inputs.conf detail for windows machine
[monitor://D:\ServerLog\ServerDaily-*.log]
index=app
sourcetype=IBM:AUT:TAM
disabled = 0

Kindly guide me whether the above stanza are defined correctly to monitor the required logs from UNIX server & windows server. If not, guide me with the correct stanza to be configured and also can we configure both windows/ UNIX monitor stanza in a single inputs.conf file.

Thanks in advance

0 Karma
Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Builder

Hi Hemnaath,

This should work -

[monitor:///opt/IBM/middleware/user_projects/domains/Test/servers/ITM_server*/logs/*(.out|.log)*]
index=app
sourcetype=IBM:AUT:TAM
blacklist = (\.(tar|gz|bz2|tar.gz|tgz|tbz|tbz2|zip|z)$)

View solution in original post

Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Motivator

thanks dineshraj, but can you please explain us how it works? and also can we configure Windows and Unix stanza in same inputs.conf files.

thanks in advance

0 Karma
Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Builder

I would suggest create 2 seperate inputs file for Unix and Windows servers and have 2 set of stanzas in serverclass.conf(one for Unix and one for Windows). We don't want Splunk to monitor windows path on Unix servers or vice-versa.

The monitor path supports wildcard as well as regular expression. So here you are reading any log file name that contains ".out" or ".log" in it and in blacklist you are filtering out files with certain extensions.

More on inputs.conf here - http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Inputsconf

Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Motivator

thanks dineshraj, its much needed help. This is the first time I got a request to monitor the set of files. Similarly we have to monitor the below logs detail in splunk for the same severs. Can I configure the stanza like you had mentioned in above comments in the same inputs.conf stanza.

Log details to be monitored :
/opt/IBM/middleware/userprojects/domains/Test/servers/TAMserver/logs/TAM_server.out*

/opt/IBM/middleware/userprojects/domains/Test/servers/TAMserver/logs/TAM_server-diag*.log

/opt/IBM/middleware/userprojects/domains/Test/servers/clserver/logs/cl_server.out*

/opt/IBM/middleware/userprojects/domains/Test/servers/clserver/logs/cl_server-diag*.log

Inputs.conf stanza

[monitor:///opt/IBM/middleware/userprojects/domains/Test/servers/TAMserver/logs/(.out|.log)*]
index=app
sourcetype=IBM:AUT:TAM
blacklist = (.(tar|gz|bz2|tar.gz|tgz|tbz|tbz2|zip|z)$)

[monitor:///opt/IBM/middleware/userprojects/domains/Test/servers/clserver/logs/(.out|.log)*]
index=app
sourcetype=IBM:AUT:TAM
blacklist = (.(tar|gz|bz2|tar.gz|tgz|tbz|tbz2|zip|z)$)

But it is necessary to configure the blacklist stanza ?.

thanks in advance

0 Karma
Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Builder

Blacklists are not mandatory, but when using wildcards will help you filter unwanted data.

The monitors look good. Just ensure that no change to sourcetype is required for the new set of logs from cl_server.

0 Karma
Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Motivator

thanks dineshraj, regarding the two set of serverclass can i define like this
For unix :
[serverClass:Test-TAM]
whitelist.0 = testtam*

[serverClass:Test-TAM:app:Test-TAM]
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled

For windows:
[serverClass:Test-TAM2]
whitelist.0 = testtIM*

[serverClass:Test-TAM2:app:Test-TAM2]
restartSplunkWeb = 0
restartSplunkd = 1
stateOnClient = enabled

thanks in advance.

0 Karma
Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Builder

Yes, this looks fine!!

0 Karma
Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Motivator

Hi Dineshraj, After configuring /pushing the above stanza from DP to the remote systems we could see the data getting into splunk and unable to perform the search. But currently we face another issue, data pulled from the remote machine contain some large list of unwanted URL's followed by at.

Details :

at java.lang.reflect.Method.invoke(Method.java:606)
at IBM.idm.common.login.SignInBean.handleWeblogicAuthn(SignInBean.java:133)
at IBM.idm.common.login.SignInBean.doLogin(SignInBean.java:99)
at sun.reflect.GeneratedMethodAccessor5210.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.sun.el.parser.AstValue.invoke(AstValue.java:187)
at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:297)

Kindly guide me in how to remove this URL from the logs.

0 Karma
Highlighted

Re: How to write a monitor stanza in inputs.conf to monitor a file in splunk ?

Motivator

Hi Dineshraj, Could you please guide me on this issue, needs to remove above details from the events.

thanks in advance.

0 Karma