Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you collect Linux logs from files such as access.log.YY-DD-MM?

w_raza
Explorer
‎12-31-2018 06:41 AM

Hi,

I've deployed splunklight-7.2.1 and I am using universal log forwarder to forward logs from a Linux server to my Splunk server.

I'm stuck in condition where I have to get logs from a particular file which gets created a new file daily to store the logs. For example, today's logs will be stored in ../acess_log.2018-12-31 and tomorrow's logs will be stored as ../access_log.2019-01-01 and so on. Can any one please guide my what should I configure in my inputs.conf file to get these logs?

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vliggio
Communicator
‎12-31-2018 07:03 AM

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

View solution in original post

Reply
Solved! Jump to solution
Solution

vliggio
Communicator
‎12-31-2018 07:03 AM

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-31-2018 07:19 AM

Valid points. My answer was based on the OP's info, but explicit file paths are best.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

w_raza
Explorer
‎01-01-2019 01:09 AM

Hi vliggio,

Thanks for your response and explaining in detail, that helped.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-31-2018 06:45 AM

It depends on what else you don't want to monitor is in the same directory, but start with [monitor://../access_log.*].

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

w_raza
Explorer
‎01-01-2019 01:08 AM

Hi Rich,

Thanks for your quick response, that really helped and it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...