Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder Configuration?

nilaksh92
Path Finder
‎08-04-2017 01:02 AM

Hi Everyone,

Need some help on configuration of Splunk forwarder.

I have multiple log files under a directory. So, I have pointed the directory to fetch all logs from all file.

Is that correct way?

Now I have one requirement,

Under that directory "Nikks", I have log file named like

Log Files:-

abc.log
abc.log.1
abc.log.2
xyz.log
xyz.log.1
xyz.log.2

Like this I have lot of sets of log files under same directory.

I just want to sent logs from abc.log and xyz.log to splunk.

I don't need events from abc.log.1, abc.log.2 etc.

Please let me know how to configure the forwarder for this scenario.

Thanks in Advance
Nikks

Tags (2)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-04-2017 01:14 AM

The inputs documentation has many configuration options you could use, in your case you could:

  • Create a monitor:/// stanza for each file you want
  • Use the whitelist stanza with your existing directory reference: whitelist=\.log$
  • Use the blacklist stanza and exclude files you do not want.

I would use the whitelist option in your scenario if you are happy with either not hardcoding the sourcetype in the inputs.conf or having a single sourcetype for all the files.

Any of the options listed could work.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

nilaksh92
Path Finder
‎08-04-2017 01:44 AM

Hi

Which one of below will work

whitelist=.log$ or whitelist=*.log

one more thing

I have some log file with timestamp as well.

like pqr.log.10/12/2017

I want to includes these files as well.

What I need is

abc.log
xyz.log
pqr.log.10/11/2017

what i don't want
abc.log.1
xyz.log.1

Please can you provide configuration for this scenario.

Thanks
Nikks

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-04-2017 01:49 AM

I would suggest a website like http://regex101.com could be used for testing any regular expression.

So you could do:
whitelist = \.log(\.\d+/\d+/\d+)?$

Or you could make a blacklist for \.[123456789]$

The $ matches end of line however *.log would likely work

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...