Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Log file rotation with date in file name

1234testtest
Path Finder
‎01-04-2013 02:46 AM

Hi,
I have to get all (and ONLY) tomcat std out files in D:/Program Files/Apache Software Foundation/Tomcat 6.0/logs. I have the following name of tomcat std out file tomcat6-stdout.2013-01-03.log - and it changes everyday. How do I monitor these files continuosly

My inputs.conf has the stanza below.
[monitor://D:/Program Files/Apache Software Foundation/Tomcat 6.0/logs/tomcat6-stdout*]
disabled = false
followTail = 0
sourcetype = w_std_log_dynamic

I suspect the problem is with log file rotation as if a new tomcat6-stdout with today's date is getting generated, it is not being indexed (not shown in the sources list in the search app).

Thanks and any pointers would be of great help.

Kindly help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-04-2013 06:03 AM

You could try using a whitelist for the folder. The * in the stanza relates to path, so your monitor was looking for folders instead of files that match the regex.

[monitor://D:/Program Files/Apache Software Foundation/Tomcat 6.0/logs]
disabled = false
followTail = 0
sourcetype=w_std_log_dynamic
whitelist = tomcat6-stdout.*\.log

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-04-2013 06:03 AM

You could try using a whitelist for the folder. The * in the stanza relates to path, so your monitor was looking for folders instead of files that match the regex.

[monitor://D:/Program Files/Apache Software Foundation/Tomcat 6.0/logs]
disabled = false
followTail = 0
sourcetype=w_std_log_dynamic
whitelist = tomcat6-stdout.*\.log

Reply
Solved! Jump to solution

1234testtest
Path Finder
‎01-06-2013 07:43 PM

Thank you. surprisingly after a restart of splunk server - this worked -

[monitor://D:\Program Files\Apache Software Foundation\Tomcat 6.0\logs\tomcat6-stdout*]
disabled = false
followTail = 0
sourcetype = w_std_log_dynamic

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎08-27-2016 09:19 AM

This worked for me also. There are many different sourcetypes in this directory, so for this particular sourcetype with the date in the file name is easier to manage as a source with a wildcard than with a whitelist for a directory - I need all files from the directory, but with different sourcetypes.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-04-2013 06:24 AM

The primary reason for not doing it that way is that the assumption was that this was a Windows system "D:" and the documentation states that that will not work on Windows.

Warning: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:
[monitor://E:\...\foo\*.log]
Splunk logs an error and fails to index the desired files.
This is a known issue, described in the Known Issues topic of the Release Notes. Look there (http://docs.splunk.com/Documentation/Splunk/5.0.1/ReleaseNotes/KnownIssues) for details on all known issues.

0 Karma
Reply
Solved! Jump to solution

kallu
Communicator
‎01-04-2013 06:20 AM

How about adding ".log" to the end. Like this

[monitor://D:/Program Files/Apache Software Foundation/Tomcat 6.0/logs/tomcat6-stdout*.log]

This is then exactly like in examples in Splunk docs (=should work)

http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

Ps. I'm not sure if it makes difference but have you tried turning your "/" to "\" if it is Windows?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...