Getting Data In

monitoring recursive directories , with only one line

robertlynch2020
Motivator

Hi

I have a directory

/net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3

However it looks like i have to add two lines into my forwarder to do monitor the original directory and all the sub-directories, is there one line that i can use?

[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3/*.log]
disabled = false
recursive = true
host = MXTIMING_LIVE_TEST2
index = mlc_live
whitelist = mxtiming_(?<ppp>\d*_[^_]*_\d*)\.log
crcSalt = <SOURCE>
sourcetype = MX_TIMING

[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3/.../*.log]
disabled = false
recursive = true
host = MXTIMING_LIVE_TEST2
index = mlc_live
whitelist = mxtiming_(?<ppp>\d*_[^_]*_\d*)\.log
crcSalt = <SOURCE>
sourcetype = MX_TIMING
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Apparently the other document is wrong, and the parent directory is NOT covered by the /.../ construct, so this is the correct answer.


Try this -

[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.../*.log]

The documentation states that ... indicates recursion through subdirectories, which implies that the slashes on either side of it are not required features of the ... itself. No examples of that usage are in the documentation, however.

If that doesn't work, then you can use the regular expression equivalent...

[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.*/*.log]

It's not very splunky, but it's a valid regex and matches the "Regular Expression Equivalent for ..." given in the table here -
https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Specifyinputpathswithwildcards

View solution in original post

masonmorales
Influencer

This should work:

 [monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3]
 disabled = false
 recursive = true
 host = MXTIMING_LIVE_TEST2
 index = mlc_live
 whitelist = mxtiming_(?<ppp>\d*_[^_]*_\d*)\.log
 crcSalt = <SOURCE>
 sourcetype = MX_TIMING

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

BTW, recursive defaults to true, so you don't actually need to specify "recursive = true" in your config.

robertlynch2020
Motivator

in fact it does not work
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3/.../.log]
i had to use
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.../
.log]
to get it to work correctly.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Very curious.

https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Specifyinputpathswithwildcards specifically says that ...

/foo/.../bar.log matches the files /foo/1/bar.log, /foo/2/bar.log, /foo/1/2/bar.log, etc., but does not match /foo/bar.log, or /foo/3/notbar.log
Because a single ellipse recurses through all folders and subfolders, /foo/.../bar.log matches the same as /foo/.../.../bar.log.

Your doc is specifically regarding wildcards and monitor:, so the more specific beats the more general. Upvoting yours and putting a caveat on mine.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Apparently the other document is wrong, and the parent directory is NOT covered by the /.../ construct, so this is the correct answer.


Try this -

[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.../*.log]

The documentation states that ... indicates recursion through subdirectories, which implies that the slashes on either side of it are not required features of the ... itself. No examples of that usage are in the documentation, however.

If that doesn't work, then you can use the regular expression equivalent...

[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.*/*.log]

It's not very splunky, but it's a valid regex and matches the "Regular Expression Equivalent for ..." given in the table here -
https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Specifyinputpathswithwildcards

robertlynch2020
Motivator

Cheers - this is what i needed 🙂

0 Karma

woodcock
Esteemed Legend

When you reference a person, if you prefix with @ (as in @woodcock), the system will notify the person that you mentioned him.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@woodcock - thanks!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...