Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

input.conf path has numbers how do i capture this?

zergid
New Member
‎09-13-2014 01:47 AM

our log path looks like this

/var/www/webapp/application/logs/2014/09/13/03.log

where 2014 is the year, 09 is the month, 13 is the day, and 03 is the hour.

How can i capture this path pattern in input.conf so all auto generated starting with the year, month, day, hour are captured and the logs are sent to splunkstorm index?

0 Karma
Reply

kml_uvce
Builder
‎09-14-2014 03:09 AM

Use regex under stanza

[monitor:///var/www/webapp/logs]
whitelist=\/var\/www\/webapp\/application\/logs\/\d{4}\/\d{2}\/\d{2}.log

Please change regex if it does not work 🙂

Reply

jrodman
Splunk Employee
Splunk Employee
‎09-14-2014 05:18 PM

This will definitely limit the stanza to only match filenames like that (though I recommend anchoring the regex with ^ and $, but it won't make the numbers available elsewhere.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-13-2014 06:17 PM

EDIT: I may have misunderstood your goal, and perahaps the other answer is the one you want.
If you just want to index those files, a wildcards or regex whitelist will do the job.

If you want to find out the times from the path, the rest of my answer is relevant.

Splunk will attempt to guess the date from the filename first by TIME_FORMAT and then falling back to regexes as an initial seed/guess value before running the time extraction per-event logic. In other words the filename can influence timestamping.

However, I'm unclear whether the full path is passed into this logic. I think it is not.

The remaining options are:

  • ensure the modtime is accurate. Splunk will use the modtime as a guide for the data, so the pathname may be unnecessary.
  • Put the date into the filename so that the filename logic can work
  • Put timestamps in the file

Timestamps in the file is definitely the best outcome, but it might not be an availble choice to you.

Reply

kristian_kolb
Ultra Champion
‎09-13-2014 04:49 AM

have you looked at the wildcard characters? Either of the following should work - take a look at the docs for inputs.conf in the Search Reference manual.

[monitor:///var/www/webapp/logs/.../*.log]
[monitor:///var/www/webapp/logs/2014/*/*/*.log]

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...