inputs.conf monitor question

hank72 · ‎02-11-2022

Hi Community,

I have a inputs.conf monitor that looks like this

[monitor:///var/log/logfiles/.../app.log]
index=englogs
sourcetype=eng:custom

The above monitor will cover these paths to the app.log files
/var/log/logfiles/database/eng/comm/surface/app.log
/var/log/logfiles/trunk/sec/comm/water/app.log
/var/log/logfiles/other/fin/app.log
And many, many more...

I have a file that I want to sourcetype as access_combined (not eng:custom).
/var/log/logfiles/scapes/web01/app.log
This path falls within the scope of the above monitored stanza.

What is the best way to accomplish this? Do I use a blacklist in the .../app.log eng:custom monitor and then create another monitor stanza for the web01/app.log access_combined that immediately follows this?

Thank you

SinghK · ‎02-11-2022

Yes, thats correct.

SanjayReddy · ‎02-11-2022

Hi @hank72

Yes, you are correct, you can mention blacklist = /var/log/logfiles/scapes/web01/app.log

and Create new moniotring stanza , that should work

-----------
Regards
Sanjay Reddy

inputs.conf monitor question

inputs.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

inputs.conf monitor question

inputs.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions