- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Re: Regex and wildcard for inputs.conf file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex and wildcard for inputs.conf file
Hello,
I ahve below list of files in a directory and many more - below are few examples.....
210928105858:jira:HDL-APP004036:/hboprod/itdept/jira/domain/logs:$ ll
total 147936
-rw-r--r-- 1 jira jira 376923 Sep 26 23:59 access_log.2021-09-26
-rw-r--r-- 1 jira jira 1547320 Sep 28 00:00 access_log.2021-09-27
-rw-r--r-- 1 jira jira 891543 Sep 28 10:56 access_log.2021-09-28
-rw-r--r-- 1 jira jira 881194 Sep 28 10:02 atlassian-jira-gc-2021-09-20_11-52-13.log.0.current
-rw-r--r-- 1 jira jira 208279 Sep 28 10:49 atlassian-jira-gc-2021-09-28_10-04-10.log.0.current
-rw-r----- 1 jira jira 8964 Sep 20 11:52 catalina.2021-09-20.log
-rw-r--r-- 1 jira jira 8965 Sep 28 10:04 catalina.2021-09-28.log
-rw-r--r-- 1 jira jira 768821 Sep 28 10:12 catalina.out
-rw-r--r-- 1 jira jira 0 Sep 20 11:52 host-manager.2021-09-20.log
-rw-r--r-- 1 jira jira 0 Sep 28 10:04 host-manager.2021-09-28.log
-rw-r----- 1 jira jira 0 Sep 17 00:14 localhost.2021-09-17.log
-rw-r--r-- 1 jira jira 0 Sep 20 11:52 localhost.2021-09-20.log
-rw-r--r-- 1 jira jira 0 Sep 28 10:04 localhost.2021-09-28.log
-rw-r--r-- 1 jira jira 0 Sep 20 11:52 manager.2021-09-20.log
-rw-r--r-- 1 jira jira 0 Sep 28 10:04 manager.2021-09-28.log
I want to monitor catalina.out and access_log files only and not others.
I have configure monitoring stanza for catalina.out and it is working as expected for me.
[monitor:////hboprod/itdept/jira/domain/logs/catalina.out]
sourcetype = log4j
ignoreOlderThan = 7d
crcSalt = <string>
I need help for writing monitoring stanza for access_log as this files gets created daily with that days date in it name. How can i configure this files to be monitored?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only the file extension is dynamic, so try something like this
[monitor:////hboprod/itdept/jira/domain/logs/access_log.*]
sourcetype = YourSourcetypeHere
ignoreOlderThan = 7d
crcSalt = <string>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 Tried this as well - still the same issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saad You can use the below stanza:
[monitor:////hboprod/itdept/jira/domain/logs/*.<file_extension>]You need to add the file extension and rest all remains the same.
Also, If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ashvinpandey ,
I have listed the file name in my orginal post, the file which i want to monitor is access_log and does not have any extension.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saad Try using this:
[monitor:////hboprod/itdept/jira/domain/logs/access_log*.*]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ashvinpandey My monitoring stanzas are as below - still it does not work - in fact after adding monitoring stanza for access_log even catalina.out has stopped getting monitored.
when doing ./splunk list inputstatus
I see below-
/hboprod/itdept/jira/domain/logs/access_log.2021-09-26
parent = //hboprod/itdept/jira/domain/logs/catalina.out
type = File did not match whitelist '^\/\/hboprod\/itdept\/jira\/domain\/logs/access_log[^/]*\.[^/]*$'.
/hboprod/itdept/jira/domain/logs/access_log.2021-09-27
parent = //hboprod/itdept/jira/domain/logs/catalina.out
type = File did not match whitelist '^\/\/hboprod\/itdept\/jira\/domain\/logs/access_log[^/]*\.[^/]*$'.
/hboprod/itdept/jira/domain/logs/access_log.2021-09-28
parent = //hboprod/itdept/jira/domain/logs/catalina.out
type = File did not match whitelist '^\/\/hboprod\/itdept\/jira\/domain\/logs/access_log[^/]*\.[^/]*$'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ashvinpandey My monitoring Stanza.
[monitor:////hboprod/itdept/jira/domain/logs/catalina.out]
sourcetype = log4j
ignoreOlderThan = 7d
crcSalt = <string>
[monitor:////hboprod/itdept/jira/domain/logs/access_log*.*]
sourcetype = log4j
ignoreOlderThan = 7d
crcSalt = <string>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saad Check if this works ?
Also, If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ashvinpandey what works? i think you missed something
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
