Hi Team,
We have a distributed environment with several forwarders managed by Deployment Server. Recently, I have configured few logs paths as below
[monitor:///appl_*/logs/wserv/]
whitelist = access_logs_wasLC*_PROD_\.\d{8}
blacklist = \.gz
recursive = true
index = was_logs
sourcetype = ibm:was:app
[monitor:///appl_*/logs/wserv/]
whitelist = access_logs_wasCC*_LUAT_\.\d{8}
blacklist = \.gz
recursive = true
index = luat_was_logs
sourcetype = ibm:was:app
Both the Prod and LUAT environment servers are in the same server class. Now the issue is even the Prod logs are going to LUAT index. So could you please help me in resolving this issue? Is there any priority when the path is same?
Hi siva_cg,
try with this configuration:
[monitor:///appl_/logs/wserv/access_logs_wasLCPROD.*]
blacklist = .gz
recursive = true
index = was_logs
sourcetype = ibm:was:app
[monitor:///appl_/logs/wserv/access_logs_wasCCLUAT.*]
blacklist = .gz
recursive = true
index = luat_was_logs
sourcetype = ibm:was:app
Bye.
Giuseppe
Hi siva_cg,
try with this configuration:
[monitor:///appl_/logs/wserv/access_logs_wasLCPROD.*]
blacklist = .gz
recursive = true
index = was_logs
sourcetype = ibm:was:app
[monitor:///appl_/logs/wserv/access_logs_wasCCLUAT.*]
blacklist = .gz
recursive = true
index = luat_was_logs
sourcetype = ibm:was:app
Bye.
Giuseppe
It worked. Thank you cusello:)
Hi Giuseppe,
We have regular expression in the whitelist. The exact whitelist value is as below:
((access|error|access_ssl|error_ssl)log_was85CC[0-9]_A201_DigitalCA(IBC|IBR|DQMU)LUAT*[BW]1)?(|.\d{8}00)$
So will this regular expression be included in the monitor path? I will use a wildcard before this regular expression but just want to know whether we can include regular expression in the monitor path?