Monitoring Splunk

input parsing another file

Vetrikmr
New Member

hi I have configured few forwarder agents through deployment server. I have given inputs.conf through app. here i need to monitor particular log file from directory and the same directory has a few other files too. here is my inputs.conf
[monitor : //directory\log\log.txt]
disabled=false
sourcetype=XXXX
index=XXX

so here i have to monitor that log file from few agents. But splunk it is monitoring the different file from the same path.
source: //directory\log\anotherlog.txt.

Tags (1)
0 Karma

mayurr98
Super Champion

hey @Vetrikmr

You can try whitelist and blacklist option in inputs.conf
refer this link to the same:
https://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Monitorfilesanddirectorieswithinputs.conf#Mo...

Also check your log path properly:
log path is always / and your path contains \
I may be wrong but check once again:

[monitor://directory/log/log.txt]
index = XXX
sourcetype = xxx
whitelist = <give_regex> OR blacklist = <give_regex>

Yunagi
Communicator

Also, the monitor stanza has the format monitor://. So you should use three "/" here:

[monitor:///directory/log/log.txt]

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...