- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to read from all files present in /temp/logs/ directory except one file abc.log
Directory looks like
xyz.log
ab.txt
ef.log
abc.log
inputs.conf
[monitor:///temp/logs/]
index = abc_xyz
sourcetype = server
disabled = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to read from all files present in /temp/logs/ directory except one file abc.log
if your problem is that all files are being reading, but you want to exlclude abc.log then you need to add blacklist:
[monitor:///temp/logs/*]
index = abc_xyz
sourcetype = server
disabled = false
blacklist = */abc\.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to read from all files present in /temp/logs/ directory except one file abc.log
if your problem is that all files are being reading, but you want to exlclude abc.log then you need to add blacklist:
[monitor:///temp/logs/*]
index = abc_xyz
sourcetype = server
disabled = false
blacklist = */abc\.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why */ is used?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi òvishwanath119,
probably it's a visualization problem, try this inputs.conf
[monitor:///temp/logs/*]
index = abc_xyz
sourcetype = server
disabled = false
If you continue to have the problem, check if the unread file is a copy of another one, because by default Splunk doesn't read twice the same file even if with two different names.
If you want to read twice the same file with different names, you have to use the option crcSalt = <SOURCE> .
Ciao.
Giuseppe
