Getting Data In

inputs.conf monitor question

hank72
Path Finder

Hi Community,

I have a inputs.conf monitor that looks like this

[monitor:///var/log/logfiles/.../app.log]
index=englogs
sourcetype=eng:custom

The above monitor will cover these paths to the app.log files
/var/log/logfiles/database/eng/comm/surface/app.log
/var/log/logfiles/trunk/sec/comm/water/app.log
/var/log/logfiles/other/fin/app.log
And many, many more...

I have a file that I want to sourcetype as access_combined (not eng:custom).
/var/log/logfiles/scapes/web01/app.log
This path falls within the scope of the above monitored stanza.

What is the best way to accomplish this? Do I use a blacklist in the .../app.log eng:custom monitor and then create another monitor stanza for the web01/app.log access_combined that immediately follows this?

Thank you

Labels (2)
0 Karma

SinghK
Builder

Yes, thats correct.

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @hank72 


Yes, you are correct, you can mention blacklist = /var/log/logfiles/scapes/web01/app.log 

and Create new moniotring stanza , that should work 

-----------
Regards
Sanjay Reddy 

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...