SplunkForwarder inputs.conf - pick one log file if...

Ovi · ‎05-22-2012

Is there a way to configure SplunkForwarder inputs.conf to do the following?

The goal is to monitor a few directories and tail "default_log_name" application logs but if a "splunk_preferred_log" file exist, then just tail those ones instead, do not pickup the default log files

Example:

A. If only /apps/app_name/logs/DefaultAppLog_Date.log exists = monitor that one

B. If both /apps/app_name/logs/DefaultAppLog_Date.log and
/apps/app_name/logs/SplunkPreferredLog_Date.log

exist, then monitor just /apps/app_name/logs/SplunkPreferredLog_Date.log

Thanks

MuS · ‎05-23-2012

Hi Ovi

personally I would do this with a script which checks the files for you. use for example your provided A & B and if there is a match symlinks the log into a separate directory which is monitored by splunk.

hope this helps, cheers

MuS

MuS · ‎05-23-2012

well, your provided example is a simple 'if else' script and I still think it is the best and easiest way to check for the files you want and not for any rolled ones. feel free to supply your solution 🙂

Ovi · ‎05-23-2012

Nope....this solution doesn't work in my case
Too many factors to consider like rolling log names by date/time, various log rollup times throughout the day, adjust for outages or maintenance windows..etc
Too complex to manage all these possible conditions in a script and having to create/maintain symlinks all the time
Still looking for a simpler solution

Ovi · ‎05-23-2012

Thanks man, that's a pretty sweet idea.
My other choice would have been to write a shell script to:
-> search for log files -> "patch" the inputs.conf accordingly -> restart splunkd,
but your suggestion is much better.
I'll give it a try

SplunkForwarder inputs.conf - pick one log file if exists, else pick another

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms