Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Forwarder Configuration?

nilaksh92
Path Finder
‎08-04-2017 01:02 AM

Hi Everyone,

Need some help on configuration of Splunk forwarder.

I have multiple log files under a directory. So, I have pointed the directory to fetch all logs from all file.

Is that correct way?

Now I have one requirement,

Under that directory "Nikks", I have log file named like

Log Files:-

abc.log
abc.log.1
abc.log.2
xyz.log
xyz.log.1
xyz.log.2

Like this I have lot of sets of log files under same directory.

I just want to sent logs from abc.log and xyz.log to splunk.

I don't need events from abc.log.1, abc.log.2 etc.

Please let me know how to configure the forwarder for this scenario.

Thanks in Advance
Nikks

Tags (2)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-04-2017 01:14 AM

The inputs documentation has many configuration options you could use, in your case you could:

  • Create a monitor:/// stanza for each file you want
  • Use the whitelist stanza with your existing directory reference: whitelist=\.log$
  • Use the blacklist stanza and exclude files you do not want.

I would use the whitelist option in your scenario if you are happy with either not hardcoding the sourcetype in the inputs.conf or having a single sourcetype for all the files.

Any of the options listed could work.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

nilaksh92
Path Finder
‎08-04-2017 01:44 AM

Hi

Which one of below will work

whitelist=.log$ or whitelist=*.log

one more thing

I have some log file with timestamp as well.

like pqr.log.10/12/2017

I want to includes these files as well.

What I need is

abc.log
xyz.log
pqr.log.10/11/2017

what i don't want
abc.log.1
xyz.log.1

Please can you provide configuration for this scenario.

Thanks
Nikks

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-04-2017 01:49 AM

I would suggest a website like http://regex101.com could be used for testing any regular expression.

So you could do:
whitelist = \.log(\.\d+/\d+/\d+)?$

Or you could make a blacklist for \.[123456789]$

The $ matches end of line however *.log would likely work

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...