Getting Data In

forwarder inputs.conf to watch multiple paths

cthacker
Explorer

I've tried a bunch of different things on my Forwarder to get it to watch 2 different paths, and blacklist one folder within the second path, and nothing is working. What is the recommended solution for getting the forwarder to watch these two paths:

/var/log
/Library/Logs

and blacklist /Library/Logs/CrashPlan?

my current inputs.conf contains this.

[default]
host = one.example.com
[monitor:///var/log]

I've read the documentation and tried regex a handful of different ways but can't get it to work. I'm using the latest release.

I'm making a change, then restarting the forwarder, then running this to confirm if it's working or not:
/Applications/splunkforwarder/bin/splunk list monitor

Thanks!

Tags (2)
0 Karma

kristian_kolb
Ultra Champion

You could also make use of the 'recurse' attribute - see;

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

[default]
host = one.example.com

[monitor:///var/log]
sourcetype=xxx

[monitor:///Library/Logs]
sourcetype=yyy
recurse = false

/K

0 Karma

cthacker
Explorer

thanks for your response. that's good to know... in this case though there are other directories within /Library/Logs/* that I do want it to use.

0 Karma

cthacker
Explorer

This seems to have worked.

[default]
host = one.example.com

[monitor:///var/log]

[monitor:///Library/Logs]
blacklist = CrashPlan*

I think I had

blacklist=*CrashPlan*

before and that didn't work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...