Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is my inputs.conf monitor stanza with multiple...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is my inputs.conf monitor stanza with multiple wildcards not picking up anything?
Hi Team,
I want to read below log files in 3 separate source types like deprovision , preprovision and provision but the code mentioned in picking one source type files.
2072.37915_xxalslnxxxt10029_deprovision_runlist.log
2072.37915_xxalslnxxxt10029_provision_runlist.log
2072.37915_xxalslnxxxt10029_preprovision_runlist.log
inputs.conf code :
[monitor://C:\opt\hyperblue\logs\build_logs*_preprovision_runlist.log]
[monitor://C:\opt\hyperblue\logs\build_logs*_provision_runlist.log]
[monitor://C:\opt\hyperblue\logs\build_logs*_deprovision_runlist.log]
Please hekp
Regards
smdasim
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Current Code which is only picking all logs and putting into sourcetype server_deprovision:default
[monitor://C:\opt\hyperblue\logs\build_logs*_provision_runlist.log]
disabled = false
sourcetype = server_provision:default
blacklist= _deprovision_runlist|_preprovision_runlist.log$
[monitor://C:\opt\hyperblue\logs\build_logs*_preprovision_runlist.log]
disabled = false
sourcetype = server_preprovision:default
blacklist= _provision_runlist|_deprovision_runlist.log$
[monitor://C:\opt\hyperblue\logs\build_logs*_deprovision_runlist.log]
disabled = false
sourcetype = server_deprovision:default
blacklist= _provision_runlist|_preprovision_runlist.log$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kindly read here for full description:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Specifyinputpathswithwildcards
or use @DalJeanis answer below
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[monitor://C:\opt\hyperblue\logs\build_logs**_preprovision_runlist.log]
or
[monitor://C:\opt\hyperblue\logs\build_logs***_preprovision_runlist.log]
not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An asterisk matches any set of characters in a single path segment. You can use ** to represent any number of levels of path.
Seems like you probably want
[monitor://C:\opt\hyperblue\logs\build_logs*\*_preprovision_runlist.log]
or
[monitor://C:\opt\hyperblue\logs\build_logs**\*_preprovision_runlist.log]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using above solution is resulting the sourcetype to set to breakable_text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not quite sure as it seems unclear to me what 2072.37915_xxalslnxxxt10029_deprovision_runlist.log portion of the string / location means
your inputs.conf has to specify exactly where the file resides and use wild cards where they can be applied
example:
C:\hello\here\is\my\data.log
C:\hello\here\is\my\other_data.log
this stanza will capture the top one only:
[monitor://C:\hello\here\is\my\data.log]
this will capture both:
[monitor://C:\hello\here\is\my\*data.log]
or
[monitor://C:\hello\here\is\my\]
hope it helps
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
.conf25 Global Broadcast: Don’t Miss a Moment
