Re: input parsing another file

Vetrikmr · ‎12-14-2017

hi I have configured few forwarder agents through deployment server. I have given inputs.conf through app. here i need to monitor particular log file from directory and the same directory has a few other files too. here is my inputs.conf
[monitor : //directory\log\log.txt]
disabled=false
sourcetype=XXXX
index=XXX

so here i have to monitor that log file from few agents. But splunk it is monitoring the different file from the same path.
source: //directory\log\anotherlog.txt.

mayurr98 · ‎12-14-2017

hey @Vetrikmr

You can try whitelist and blacklist option in inputs.conf
refer this link to the same:
https://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Monitorfilesanddirectorieswithinputs.conf#Mo...

Also check your log path properly:
log path is always / and your path contains \
I may be wrong but check once again:

[monitor://directory/log/log.txt]
index = XXX
sourcetype = xxx
whitelist = <give_regex> OR blacklist = <give_regex>

Yunagi · ‎12-15-2017

Also, the monitor stanza has the format monitor://. So you should use three "/" here:

[monitor:///directory/log/log.txt]

input parsing another file

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

input parsing another file

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?