Solved: Re: inputs.conf is there a difference

gerdhuber · ‎02-16-2017

Hallo,

i only want to monitor files in the directory pkorb and not files in subdirectory pkorb/oldlogs
What is the right monitor ?

[monitor:///var/log/pkorb]
[monitor:///var/log/pkorb/]

or any other ?

skoelpin · ‎02-16-2017

[monitor:///var/log/pkorb/*] will forward any files sitting in the pkorb directory but will NOT forward files from sub-directories in that pkorb directory

If you wanted to ingest data from a subdirectory, it would look like

[monitor:///var/log/pkorb/.../*]

View solution in original post

skoelpin · ‎02-16-2017

[monitor:///var/log/pkorb/*] will forward any files sitting in the pkorb directory but will NOT forward files from sub-directories in that pkorb directory

If you wanted to ingest data from a subdirectory, it would look like

[monitor:///var/log/pkorb/.../*]

gerdhuber · ‎02-17-2017

thank you

skoelpin · ‎02-17-2017

Did this answer your question? If so then please accept the answer

gerdhuber · ‎02-20-2017

yes, this is what i am looking for.

skoelpin · ‎02-20-2017

Can you please accept the answer and close it out?

martin_mueller · ‎02-16-2017

I'd give this a shot:

[monitor:///var/log/pkorb]
recursive = false

Alternatively, this:

[monitor:///var/log/pkorb]
blacklist = oldlogs

The latter would recurse, but skip the oldlogs directory. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/inputsconf for specs.

inputs.conf is there a difference

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation