Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Wildcarding help in inputs.conf -- controlling directory depth

Josh
Path Finder
‎04-21-2010 09:27 AM

Inputs.conf: The stanza [monitor:///app/fao/dittradeflow/servers/.../logs] will look at all folders and subfolders within servers for a dir named logs, how can we modify this so that only the directories within the servers directory are checked for the subfolder logs

E.g. 
We want to monitor for the following:

monitor:///app/fao/dittradeflow/servers/tc3/logs or monitor:///app/fao/dittradeflow/servers/tc2/logs

  But we do not want to monitor:

    monitor:///app/fao/dittradeflow/servers/tc3/stage/logs or monitor:///app/fao/dittradeflow/servers/tc3/stage/CQS
Tags (1)
Reply

jrodman
Splunk Employee
Splunk Employee
‎04-22-2010 07:18 PM

You can use a whitelist or blacklist to constrain the input behavior, or use the wildcarding inputs to implicitly create this, eg:

[monitor:///app/fao/dittradeflow/servers/*/logs]

'...' matches any number of directory layers. '*' does not cross directory layers. Thus a matching file would have to contain /app/fao/dittratde/flow/severrs/<somedirectory>/logs This could be something ending in servers/directory/logs-file.log, though. If you want to enforce that 'logs' is a directory and not part of a filename, use:

[monitor:///app/fao/dittradeflow/servers/*/logs/]
0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-08-2010 08:39 PM

The documentation is incorrect. I'm not sure exactly what it was trying to convey, but it will get some edits.

0 Karma
Reply

drawks
Explorer
‎09-08-2010 06:28 PM

" * matches anything in that specific path segment. It cannot be used inside of a directory path; it must be used in the last segment of the path. For example /foo/*.log matches /foo/bar.log but not /foo/bar.txt or /foo/bar/test.log. "

Looks like the documentation explicitly contradicts your example.

0 Karma
Reply

thall79
Communicator
‎04-21-2010 12:56 PM

Not sure if you read this post:

http://answers.splunk.com/questions/1472/disable-monitoring-of-sub-directories

but gkanapathy suggested to another splunker to use blacklisting. Sounds like it would work for you and me.

Travis.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...