Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Monitor Stazas

siva_cg
Path Finder
‎07-20-2017 01:33 AM

Hi Team,

We have a distributed environment with several forwarders managed by Deployment Server. Recently, I have configured few logs paths as below

[monitor:///appl_*/logs/wserv/]
whitelist = access_logs_wasLC*_PROD_\.\d{8}
blacklist = \.gz
recursive = true
index = was_logs
sourcetype = ibm:was:app

[monitor:///appl_*/logs/wserv/]
whitelist = access_logs_wasCC*_LUAT_\.\d{8}
blacklist = \.gz
recursive = true
index = luat_was_logs
sourcetype = ibm:was:app

Both the Prod and LUAT environment servers are in the same server class. Now the issue is even the Prod logs are going to LUAT index. So could you please help me in resolving this issue? Is there any priority when the path is same?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-20-2017 02:10 AM

Hi siva_cg,
try with this configuration:

[monitor:///appl_/logs/wserv/access_logs_wasLCPROD.*]
blacklist = .gz
recursive = true
index = was_logs
sourcetype = ibm:was:app

[monitor:///appl_/logs/wserv/access_logs_wasCCLUAT.*]
blacklist = .gz
recursive = true
index = luat_was_logs
sourcetype = ibm:was:app

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-20-2017 02:10 AM

Hi siva_cg,
try with this configuration:

[monitor:///appl_/logs/wserv/access_logs_wasLCPROD.*]
blacklist = .gz
recursive = true
index = was_logs
sourcetype = ibm:was:app

[monitor:///appl_/logs/wserv/access_logs_wasCCLUAT.*]
blacklist = .gz
recursive = true
index = luat_was_logs
sourcetype = ibm:was:app

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

siva_cg
Path Finder
‎07-20-2017 10:24 AM

It worked. Thank you cusello:)

0 Karma
Reply
Solved! Jump to solution

siva_cg
Path Finder
‎07-20-2017 02:17 AM

Hi Giuseppe,

We have regular expression in the whitelist. The exact whitelist value is as below:
((access|error|access_ssl|error_ssl)log_was85CC[0-9]_A201_DigitalCA(IBC|IBR|DQMU)LUAT*[BW]1)?(|.\d{8}00)$

So will this regular expression be included in the monitor path? I will use a wildcard before this regular expression but just want to know whether we can include regular expression in the monitor path?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...