Hi
I read all I could find in the docs and in splunkbase but I'm still struggling with that simple problem:
I need to index all the log files corresponding to these paths:
/logs/serv1/apache-tomcat4/logs/application.log-2012-01-01
/logs/serv2/apache-tomcat3/logs/application.log-2011-01-01
/logs/serv3/apache-tomcat1/logs/application.log-2010-01-01
This would be generalized as:
/logs/serv[0-9]/apache-tomcat[1-4]/logs/application\.log.*
I cannot find a way to configure the monitor path of inputs.conf nor the whitelist to only index those files.
Mainly, I want to avoid indexing files from paths like:
/logs/serv3/apache-tomcat2OLD/logs/application.log-2010-01-01
All I see depending of what I try is the index getting Data input file count raise but nothing getting indexed, and a lot of "ERROR TailingProcessor - matching" in the splunkd.log file.
The only time it works is when I specify the full paths without wildcards in the monitor url like:
/logs/serv1/apache-tomcat1/logs/application.log*
/logs/serv1/apache-tomcat2/logs/application.log*
/logs/serv1/apache-tomcat3/logs/application.log*
/logs/serv1/apache-tomcat4/logs/application.log*
/logs/serv2/apache-tomcat1/logs/application.log*
etc...
But I don't want to have all of them as separate inputs if I can specify one regex to match them all.
Thanks
edit the source input path via Manager
/logs/.../\w+\.\w+-\d+-\d+-\d+
or if this is too generic then
/logs/.../application\.log-\d+-\d+-\d+