Getting Data In

Input monitor wildcard and whitelist

johnsmith78
Engager

Hi

I read all I could find in the docs and in splunkbase but I'm still struggling with that simple problem:

I need to index all the log files corresponding to these paths:

/logs/serv1/apache-tomcat4/logs/application.log-2012-01-01
/logs/serv2/apache-tomcat3/logs/application.log-2011-01-01
/logs/serv3/apache-tomcat1/logs/application.log-2010-01-01

This would be generalized as:

/logs/serv[0-9]/apache-tomcat[1-4]/logs/application\.log.*

I cannot find a way to configure the monitor path of inputs.conf nor the whitelist to only index those files.

Mainly, I want to avoid indexing files from paths like:

/logs/serv3/apache-tomcat2OLD/logs/application.log-2010-01-01

All I see depending of what I try is the index getting Data input file count raise but nothing getting indexed, and a lot of "ERROR TailingProcessor - matching" in the splunkd.log file.

The only time it works is when I specify the full paths without wildcards in the monitor url like:

/logs/serv1/apache-tomcat1/logs/application.log*
/logs/serv1/apache-tomcat2/logs/application.log*
/logs/serv1/apache-tomcat3/logs/application.log*
/logs/serv1/apache-tomcat4/logs/application.log*
/logs/serv2/apache-tomcat1/logs/application.log*
etc...

But I don't want to have all of them as separate inputs if I can specify one regex to match them all.

Thanks

cvajs
Contributor

edit the source input path via Manager
/logs/.../\w+\.\w+-\d+-\d+-\d+
or if this is too generic then
/logs/.../application\.log-\d+-\d+-\d+

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...