Re: forwarder inputs.conf to watch multiple paths

cthacker · ‎08-29-2013

I've tried a bunch of different things on my Forwarder to get it to watch 2 different paths, and blacklist one folder within the second path, and nothing is working. What is the recommended solution for getting the forwarder to watch these two paths:

/var/log
/Library/Logs

and blacklist /Library/Logs/CrashPlan?

my current inputs.conf contains this.

[default]
host = one.example.com
[monitor:///var/log]

I've read the documentation and tried regex a handful of different ways but can't get it to work. I'm using the latest release.

I'm making a change, then restarting the forwarder, then running this to confirm if it's working or not:
/Applications/splunkforwarder/bin/splunk list monitor

Thanks!

kristian_kolb · ‎08-29-2013

You could also make use of the 'recurse' attribute - see;

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

[default]
host = one.example.com

[monitor:///var/log]
sourcetype=xxx

[monitor:///Library/Logs]
sourcetype=yyy
recurse = false

/K

cthacker · ‎08-29-2013

thanks for your response. that's good to know... in this case though there are other directories within /Library/Logs/* that I do want it to use.

cthacker · ‎08-29-2013

This seems to have worked.

[default]
host = one.example.com

[monitor:///var/log]

[monitor:///Library/Logs]
blacklist = CrashPlan*

I think I had

blacklist=*CrashPlan*

before and that didn't work.

forwarder inputs.conf to watch multiple paths

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...