inputs.conf monitor question

hank72 · ‎02-11-2022

Hi Community,

I have a inputs.conf monitor that looks like this

[monitor:///var/log/logfiles/.../app.log]
index=englogs
sourcetype=eng:custom

The above monitor will cover these paths to the app.log files
/var/log/logfiles/database/eng/comm/surface/app.log
/var/log/logfiles/trunk/sec/comm/water/app.log
/var/log/logfiles/other/fin/app.log
And many, many more...

I have a file that I want to sourcetype as access_combined (not eng:custom).
/var/log/logfiles/scapes/web01/app.log
This path falls within the scope of the above monitored stanza.

What is the best way to accomplish this? Do I use a blacklist in the .../app.log eng:custom monitor and then create another monitor stanza for the web01/app.log access_combined that immediately follows this?

Thank you

SinghK · ‎02-11-2022

Yes, thats correct.

SanjayReddy · ‎02-11-2022

Hi @hank72

Yes, you are correct, you can mention blacklist = /var/log/logfiles/scapes/web01/app.log

and Create new moniotring stanza , that should work

-----------
Regards
Sanjay Reddy

inputs.conf monitor question

inputs.conf

universal forwarder

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

inputs.conf monitor question

inputs.conf

universal forwarder

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I