Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex and wildcard for inputs.conf file

saad
Loves-to-Learn
‎09-28-2021 08:07 AM

Hello,

I ahve below list of files in a directory and many more - below are few examples.....

210928105858:jira:HDL-APP004036:/hboprod/itdept/jira/domain/logs:$ ll
total 147936
-rw-r--r-- 1 jira jira 376923 Sep 26 23:59 access_log.2021-09-26
-rw-r--r-- 1 jira jira 1547320 Sep 28 00:00 access_log.2021-09-27
-rw-r--r-- 1 jira jira 891543 Sep 28 10:56 access_log.2021-09-28
-rw-r--r-- 1 jira jira 881194 Sep 28 10:02 atlassian-jira-gc-2021-09-20_11-52-13.log.0.current
-rw-r--r-- 1 jira jira 208279 Sep 28 10:49 atlassian-jira-gc-2021-09-28_10-04-10.log.0.current
-rw-r----- 1 jira jira 8964 Sep 20 11:52 catalina.2021-09-20.log
-rw-r--r-- 1 jira jira 8965 Sep 28 10:04 catalina.2021-09-28.log
-rw-r--r-- 1 jira jira 768821 Sep 28 10:12 catalina.out
-rw-r--r-- 1 jira jira 0 Sep 20 11:52 host-manager.2021-09-20.log
-rw-r--r-- 1 jira jira 0 Sep 28 10:04 host-manager.2021-09-28.log
-rw-r----- 1 jira jira 0 Sep 17 00:14 localhost.2021-09-17.log
-rw-r--r-- 1 jira jira 0 Sep 20 11:52 localhost.2021-09-20.log
-rw-r--r-- 1 jira jira 0 Sep 28 10:04 localhost.2021-09-28.log
-rw-r--r-- 1 jira jira 0 Sep 20 11:52 manager.2021-09-20.log
-rw-r--r-- 1 jira jira 0 Sep 28 10:04 manager.2021-09-28.log

I want to monitor catalina.out and access_log files only and not others.

 

I have configure monitoring stanza for catalina.out and it is working as expected for me.

[monitor:////hboprod/itdept/jira/domain/logs/catalina.out]
sourcetype = log4j
ignoreOlderThan = 7d
crcSalt = <string>

 

I need help for writing monitoring stanza for access_log as this files gets created daily with that days date in it name. How can i configure this files to be monitored?

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎09-28-2021 08:48 AM

Only the file extension is dynamic, so try something like this

 

[monitor:////hboprod/itdept/jira/domain/logs/access_log.*]
sourcetype = YourSourcetypeHere
ignoreOlderThan = 7d
crcSalt = <string>
0 Karma
Reply

saad
Loves-to-Learn
‎09-28-2021 08:53 AM

@somesoni2 Tried this as well - still the same issue.

0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 08:16 AM

@saad You can use the below stanza:

[monitor:////hboprod/itdept/jira/domain/logs/*.<file_extension>]

You need to add the file extension and rest all remains the same.
Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

saad
Loves-to-Learn
‎09-28-2021 08:18 AM

Hi @ashvinpandey ,

 

I have listed the file name in my orginal post, the file which i want to monitor is access_log and does not have any extension.

0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 08:23 AM

@saad Try using this: 

[monitor:////hboprod/itdept/jira/domain/logs/access_log*.*]
0 Karma
Reply

saad
Loves-to-Learn
‎09-28-2021 08:32 AM

@ashvinpandey  My monitoring stanzas are as below - still it does not work - in fact after adding monitoring stanza for access_log even catalina.out  has stopped getting monitored.

 

when doing ./splunk list inputstatus

 

I see below-

/hboprod/itdept/jira/domain/logs/access_log.2021-09-26
parent = //hboprod/itdept/jira/domain/logs/catalina.out
type = File did not match whitelist '^\/\/hboprod\/itdept\/jira\/domain\/logs/access_log[^/]*\.[^/]*$'.

/hboprod/itdept/jira/domain/logs/access_log.2021-09-27
parent = //hboprod/itdept/jira/domain/logs/catalina.out
type = File did not match whitelist '^\/\/hboprod\/itdept\/jira\/domain\/logs/access_log[^/]*\.[^/]*$'.

/hboprod/itdept/jira/domain/logs/access_log.2021-09-28
parent = //hboprod/itdept/jira/domain/logs/catalina.out
type = File did not match whitelist '^\/\/hboprod\/itdept\/jira\/domain\/logs/access_log[^/]*\.[^/]*$'.

0 Karma
Reply

saad
Loves-to-Learn
‎09-28-2021 08:33 AM

@ashvinpandey  My monitoring Stanza.

 

[monitor:////hboprod/itdept/jira/domain/logs/catalina.out]
sourcetype = log4j
ignoreOlderThan = 7d
crcSalt = <string>

[monitor:////hboprod/itdept/jira/domain/logs/access_log*.*]
sourcetype = log4j
ignoreOlderThan = 7d
crcSalt = <string>

0 Karma
Reply

ashvinpandey
Contributor
‎09-28-2021 08:35 AM

@saad Check if this works ?
Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

saad
Loves-to-Learn
‎09-28-2021 08:38 AM

@ashvinpandey  what works? i think you missed something

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Top