Re: how to configure inputs.conf?

khandelwaly · ‎04-14-2020

i have logs like this :

-rw-r----- 1 jira jira 4921534 Apr 13 22:42 catalina.2020-04-13.log
-rw-r----- 1 jira jira 463769261 Apr 14 00:00 access_log.2020-04-13
-rw-r----- 1 jira jira 2840014 Apr 14 13:08 catalina.2020-04-14.log
-rw-r----- 1 jira jira 222675515 Apr 14 13:08 access_log.2020-04-14

How to configure inputs.conf for the access_log
I tried below but it didnot work

[monitor:////apps/logs/access_log]
index = prdidx
blacklist = .(gz)$
sourcetype = ACCESS
_TCP_ROUTING = WEB

richgalloway · ‎04-14-2020

Try

[monitor:///apps/logs/access_log/access_log.*]

---
If this reply helps you, Karma would be appreciated.

khandelwaly · ‎04-14-2020

logs file name is access_log.2020-04-14. No folder with name access_log.
Tried without access_log folder as well but it didnot work

richgalloway · ‎04-15-2020

Did you restart the forwarder after changing inputs.conf?
Does Splunk have read access to the logs?
Do the files appear in the output of the CLI command splunk list monitor?

---
If this reply helps you, Karma would be appreciated.

PavelP · ‎04-14-2020

if splunk runs as not root user then you have to add splunk to jira group, here is an example if splunk(forwarder) runs as a splunk user:

usermod -a -G jira splunk

khandelwaly · ‎04-14-2020

Splunk restart is fine. Only files under the mentioned directory is not shown on Splunk. Need help to configure the inputs.conf

PavelP · ‎04-14-2020

Does splunk run as a root user?

khandelwaly · ‎04-14-2020

yes it run as root.

to4kawa · ‎04-14-2020

# The following configuration reads all the files in the directory /var/log.

[monitor:///var/log]

there is too many /

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

khandelwaly · ‎04-14-2020

I removed the / but still the same thing. I don't want to read all the files in that directory. I want to only read access_log

khandelwaly · ‎04-14-2020

Tried below but still failing
[monitor:///apps/logs/] index = prdidx blacklist = \.(gz)$ whitelist = access_log\.*$ sourcetype =ACCESS _TCP_ROUTING = WEB

to4kawa · ‎04-14-2020

blacklist = .(gz)$
→
whitelist = \.log$
How about this?

khandelwaly · ‎04-14-2020

Files are not ending with .log. Tried _log but did not work

to4kawa · ‎04-14-2020

what's your sourcetype now?

to4kawa · ‎04-15-2020

https://docs.splunk.com/Documentation/Splunk/8.0.3/Troubleshooting/Cantfinddata

to4kawa · ‎04-14-2020

and check sourcetype

richgalloway · ‎04-14-2020

What is the full path of the log files shown?

---
If this reply helps you, Karma would be appreciated.

khandelwaly · ‎04-14-2020

files are under /apps/logs/

how to configure inputs.conf?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies