Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitoring a rolling log file

santosh_sshanbh
Path Finder
‎04-03-2018 06:03 AM

I have a requirement to monitor a rolling log file from a folder. The name of the file is like below

CalculationMgr-xx(yy).log

Here, xx & yy are the numbers which keeps on changing each time the service restarts. Also for the first time, I do not want to index the old data from the log file but in case the Splunk UF is stopped by any reason, it should not loose the data after it restarts. So can any one help me with the correct Monitor stanza I have to use in this case?

Tags (1)
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-03-2018 07:21 AM

Here's a good start

[monitor://<PATH_TO_FILE>/CalculationMgr-*.log]
 index=<YOUR INDEX NAME>
 sourcetype=<YOUR SOURCETYOE>
ignoreolderthan=-1d

You will also need to configure outputs.conf to point to your indexer(s) and restart the splunkd service on the forwarder. The ignoreolderthan attribute will ignore all file older than 1 day, you may want to modify this to fit your use case. Also the fishbucket on the UF will prevent duplication of data

http://docs.splunk.com/Documentation/Forwarder/7.0.3/Forwarder/Configuretheuniversalforwarder
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Data/Monitorfilesanddirectorieswithinputs.con...
https://www.splunk.com/blog/2008/08/14/what-is-this-fishbucket-thing.html

0 Karma
Reply

santosh_sshanbh
Path Finder
‎04-04-2018 07:48 AM

Tried this but getting error in Splunkd

04-04-2018 08:34:03.983 -0400 DEBUG TailingProcessor - Not using stanza for this item (File did not match whitelist '^D:\\Program\ Files\ (x86)\\Proficy\\Proficy\ Server\\LogFiles\\CalculationMgr[^]*.log$'.).

04-04-2018 08:34:03.982 -0400 DEBUG TailReader - Returning disposition=IGNORE_THIS_PATH for file=D:\Program Files (x86)\Proficy\Proficy Server\LogFiles\CalculationMgr-1023(11).Log

UF is Windows 2012 server

0 Karma
Reply

santosh_sshanbh
Path Finder
‎04-04-2018 07:59 AM

I tried multiple combinations like below, but no success.

[monitor://D:\Program Files (x86)\Proficy\Proficy Server\LogFiles\CalculationMgr*.log]
source = Log
sourcetype = CalculationMgr
recursive = false
followTail = 0
disabled = 0

[monitor://D:\Program Files (x86)\Proficy\Proficy Server\LogFiles]
source = Log
sourcetype = CalculationMgr
recursive = false
whitelist = CalculationMgr-\d+(\d+).log$
followTail = 0
disabled = 0

[monitor://D:\Program Files (x86)\Proficy\Proficy Server\LogFiles]
source = Log
sourcetype = CalculationMgr
recursive = false
whitelist = CalculationMgr-*.log$
followTail = 0
disabled = 0

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-04-2018 07:51 AM

It would be helpful if you posted your stanza..

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...
Top