Getting Data In

Input monitor wildcard and whitelist

johnsmith78
Engager

Hi

I read all I could find in the docs and in splunkbase but I'm still struggling with that simple problem:

I need to index all the log files corresponding to these paths:

/logs/serv1/apache-tomcat4/logs/application.log-2012-01-01
/logs/serv2/apache-tomcat3/logs/application.log-2011-01-01
/logs/serv3/apache-tomcat1/logs/application.log-2010-01-01

This would be generalized as:

/logs/serv[0-9]/apache-tomcat[1-4]/logs/application\.log.*

I cannot find a way to configure the monitor path of inputs.conf nor the whitelist to only index those files.

Mainly, I want to avoid indexing files from paths like:

/logs/serv3/apache-tomcat2OLD/logs/application.log-2010-01-01

All I see depending of what I try is the index getting Data input file count raise but nothing getting indexed, and a lot of "ERROR TailingProcessor - matching" in the splunkd.log file.

The only time it works is when I specify the full paths without wildcards in the monitor url like:

/logs/serv1/apache-tomcat1/logs/application.log*
/logs/serv1/apache-tomcat2/logs/application.log*
/logs/serv1/apache-tomcat3/logs/application.log*
/logs/serv1/apache-tomcat4/logs/application.log*
/logs/serv2/apache-tomcat1/logs/application.log*
etc...

But I don't want to have all of them as separate inputs if I can specify one regex to match them all.

Thanks

cvajs
Contributor

edit the source input path via Manager
/logs/.../\w+\.\w+-\d+-\d+-\d+
or if this is too generic then
/logs/.../application\.log-\d+-\d+-\d+

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...