- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- monitoring recursive directories , with only one l...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a directory
/net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3
However it looks like i have to add two lines into my forwarder to do monitor the original directory and all the sub-directories, is there one line that i can use?
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3/*.log]
disabled = false
recursive = true
host = MXTIMING_LIVE_TEST2
index = mlc_live
whitelist = mxtiming_(?<ppp>\d*_[^_]*_\d*)\.log
crcSalt = <SOURCE>
sourcetype = MX_TIMING
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3/.../*.log]
disabled = false
recursive = true
host = MXTIMING_LIVE_TEST2
index = mlc_live
whitelist = mxtiming_(?<ppp>\d*_[^_]*_\d*)\.log
crcSalt = <SOURCE>
sourcetype = MX_TIMING
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apparently the other document is wrong, and the parent directory is NOT covered by the /.../ construct, so this is the correct answer.
Try this -
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.../*.log]
The documentation states that ... indicates recursion through subdirectories, which implies that the slashes on either side of it are not required features of the ... itself. No examples of that usage are in the documentation, however.
If that doesn't work, then you can use the regular expression equivalent...
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.*/*.log]
It's not very splunky, but it's a valid regex and matches the "Regular Expression Equivalent for ..." given in the table here -
https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Specifyinputpathswithwildcards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should work:
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3]
disabled = false
recursive = true
host = MXTIMING_LIVE_TEST2
index = mlc_live
whitelist = mxtiming_(?<ppp>\d*_[^_]*_\d*)\.log
crcSalt = <SOURCE>
sourcetype = MX_TIMING
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
BTW, recursive defaults to true, so you don't actually need to specify "recursive = true" in your config.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in fact it does not work
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3/.../.log]
i had to use
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.../.log]
to get it to work correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very curious.
https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Specifyinputpathswithwildcards specifically says that ...
/foo/.../bar.log matches the files /foo/1/bar.log, /foo/2/bar.log, /foo/1/2/bar.log, etc., but does not match /foo/bar.log, or /foo/3/notbar.log
Because a single ellipse recurses through all folders and subfolders, /foo/.../bar.log matches the same as /foo/.../.../bar.log.
Your doc is specifically regarding wildcards and monitor:, so the more specific beats the more general. Upvoting yours and putting a caveat on mine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apparently the other document is wrong, and the parent directory is NOT covered by the /.../ construct, so this is the correct answer.
Try this -
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.../*.log]
The documentation states that ... indicates recursion through subdirectories, which implies that the slashes on either side of it are not required features of the ... itself. No examples of that usage are in the documentation, however.
If that doesn't work, then you can use the regular expression equivalent...
[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM3.*/*.log]
It's not very splunky, but it's a valid regex and matches the "Regular Expression Equivalent for ..." given in the table here -
https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Specifyinputpathswithwildcards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cheers - this is what i needed 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you reference a person, if you prefix with @ (as in @woodcock), the system will notify the person that you mentioned him.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock - thanks!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
