Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Input paths with wildcards for the sub-directories tree

mlevsh
Builder
‎11-26-2019 02:34 PM

Hi,

I haven't dealt a lot with wildcards in Paths for Inputs, so will appreciate your help.

We need to monitor logs in SyslogLog sub-directory: 

/opt/our-application/var/log/our-processor/message_logging/dev/<environment>/<proxy-name>/<revision>/SyslogLog/name_of_log.log

For example from the following available directories we need to get only 1),4), 5) and 7) ,8), 10)files 

1) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_1/1/SyslogLog/name_of_1_log.log
2) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_1/1/SyslogLog/name_of_1_log.log.1
3) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_1/1/SyslogLog/name_of_1_log.log.2
4) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_1/2/SyslogLog/name_of_2_log.log
5) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_1/3/SyslogLog/name_of_3_log.log
6) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_1/3/FastLog/name_of_4_log.log

7) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_2/1/SyslogLog/name_of_5_log.log
8) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_2/2/SyslogLog/name_of_6_log.log
9) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_2/3/FastLog/name_of_7_log.log
10) /opt/our-application/var/log/our-processor/message_logging/dev/dev/company_proxy_name_2/4/SyslogLog/name_of_8_log.log

Will the following template on the Path with "*" work? 

[monitor:///opt/our-application/var/log/our-processor/message_logging/dev/*/*/SyslogLog/*.log]
index = our_index
sourcetype = our_sourcetype
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 02:56 PM

Missed it by >that< much; try this:

[monitor:///opt/our-application/var/log/our-processor/message_logging/dev/*/*/*/SyslogLog/*.log]
index = our_index
sourcetype = our_sourcetype

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 02:56 PM

Missed it by >that< much; try this:

[monitor:///opt/our-application/var/log/our-processor/message_logging/dev/*/*/*/SyslogLog/*.log]
index = our_index
sourcetype = our_sourcetype
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-26-2019 02:57 PM

This assumes that .../dev/dev/... is really the path and not a double-paste error.

0 Karma
Reply
Solved! Jump to solution

mlevsh
Builder
‎12-11-2019 09:06 AM

@woodcock , sorry for a delay.
Tested and it worked. Thank you so much as always!

Reply
Solved! Jump to solution

mlevsh
Builder
‎11-26-2019 06:49 PM

@woodcock , thank you! Will test tomorrow!
.../dev/dev/... is really the path.
it is possible that users might have other sub-folders under first dev.
Something like .../dev/dev_pse/...

Reply
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...