Splunk Search

Wildcarding help in inputs.conf -- controlling directory depth

Josh
Path Finder

Inputs.conf: The stanza [monitor:///app/fao/dittradeflow/servers/.../logs] will look at all folders and subfolders within servers for a dir named logs, how can we modify this so that only the directories within the servers directory are checked for the subfolder logs

E.g. 
We want to monitor for the following:

monitor:///app/fao/dittradeflow/servers/tc3/logs or monitor:///app/fao/dittradeflow/servers/tc2/logs

  But we do not want to monitor:

    monitor:///app/fao/dittradeflow/servers/tc3/stage/logs or monitor:///app/fao/dittradeflow/servers/tc3/stage/CQS
Tags (1)

jrodman
Splunk Employee
Splunk Employee

You can use a whitelist or blacklist to constrain the input behavior, or use the wildcarding inputs to implicitly create this, eg:

[monitor:///app/fao/dittradeflow/servers/*/logs]

'...' matches any number of directory layers. '*' does not cross directory layers. Thus a matching file would have to contain /app/fao/dittratde/flow/severrs/<somedirectory>/logs This could be something ending in servers/directory/logs-file.log, though. If you want to enforce that 'logs' is a directory and not part of a filename, use:

[monitor:///app/fao/dittradeflow/servers/*/logs/]
0 Karma

jrodman
Splunk Employee
Splunk Employee

The documentation is incorrect. I'm not sure exactly what it was trying to convey, but it will get some edits.

0 Karma

drawks
Explorer

" * matches anything in that specific path segment. It cannot be used inside of a directory path; it must be used in the last segment of the path. For example /foo/*.log matches /foo/bar.log but not /foo/bar.txt or /foo/bar/test.log. "

Looks like the documentation explicitly contradicts your example.

0 Karma

thall79
Communicator

Not sure if you read this post:

http://answers.splunk.com/questions/1472/disable-monitoring-of-sub-directories

but gkanapathy suggested to another splunker to use blacklisting. Sounds like it would work for you and me.

Travis.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...