I think I'm missing a clue here. I have logs being dumped in /var/log/splunk - most devices are appliances, not in DNS and I have resolution turned off in syslog-ng anyway. So, I end up with 100's of directories by IP address under /var/log/splunk. FWIW - my full log paths are actually /var/log/splunk/host/month/day.log
Often times, I'll have a range of addresses that are part of a single system, so I want them all in a single index, single source type. I figured it would be easy to write a monitor:: stanza to pick up a range of IP's and it was, except it does not work.
So, here is what I have, what did I do wrong? In this example I want to pickup everything below /var/log/splunk/10.10.10.132 through /var/log/splunk/10.10.10.141
[monitor:///var/log/splunk/.../10\.10\.10\.(1(3[2-9]|4[0-1]))]
host_segment=4
sourcetype=bar
index=foo
...etc..
I'm also wondering what kind of hit I'm putting on my syslog forwarder when I start using regex in the inputs.conf - is it better to just have an individual monitor:: line for each IP, it would be easy enough to write a script that auto-generated my inputs.conf from a list of IP's - in the end, I will have thousands of devices sending data over syslog.
Thanks!
... View more