i have logs like this :
-rw-r----- 1 jira jira 4921534 Apr 13 22:42 catalina.2020-04-13.log
-rw-r----- 1 jira jira 463769261 Apr 14 00:00 access_log.2020-04-13
-rw-r----- 1 jira jira 2840014 Apr 14 13:08 catalina.2020-04-14.log
-rw-r----- 1 jira jira 222675515 Apr 14 13:08 access_log.2020-04-14
How to configure inputs.conf for the access_log
I tried below but it didnot work
[monitor:////apps/logs/access_log]
index = prdidx
blacklist = .(gz)$
sourcetype = ACCESS
_TCP_ROUTING = WEB
Try
[monitor:///apps/logs/access_log/access_log.*]
logs file name is access_log.2020-04-14. No folder with name access_log.
Tried without access_log folder as well but it didnot work
Did you restart the forwarder after changing inputs.conf?
Does Splunk have read access to the logs?
Do the files appear in the output of the CLI command splunk list monitor
?
if splunk runs as not root user then you have to add splunk to jira group, here is an example if splunk(forwarder) runs as a splunk user:
usermod -a -G jira splunk
Splunk restart is fine. Only files under the mentioned directory is not shown on Splunk. Need help to configure the inputs.conf
Does splunk run as a root user?
yes it run as root.
# The following configuration reads all the files in the directory /var/log.
[monitor:///var/log]
there is too many /
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
I removed the / but still the same thing. I don't want to read all the files in that directory. I want to only read access_log
Tried below but still failing
[monitor:///apps/logs/]
index = prdidx
blacklist = \.(gz)$
whitelist = access_log\.*$
sourcetype =ACCESS
_TCP_ROUTING = WEB
blacklist = .(gz)$
→
whitelist = \.log$
How about this?
Files are not ending with .log. Tried _log but did not work
what's your sourcetype
now?
and check sourcetype
What is the full path of the log files shown?
files are under /apps/logs/