Getting Data In

How many wild cards (*) can I put in monitoring path?

melonman
Motivator

Hi

I have configured the monitor path of inputs.conf.

/nfsmount/log/log.d*_vd*hoge*/*/*/aaa_*_bb*-ccc*.log

My question is how many wildcard characters I can put in the path.
Is there any limitation of use of wildcard in monitor path?

I have checked the following articles, but still can not find the answer...

http://splunk-base.splunk.com/answers/13613/use-of-wild-card-character-in-monitor-path
http://www.splunk.com/base/Documentation/latest/Data/Specifyinputpathswithwildcards

Any thought?

Thank you in advance!

Tags (1)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

I don't think there is a practical limit. Unless this has changed in newer versions, Splunk implements wildcards in the monitor stanza using whitelist and blacklist under the covers. So, your rule of

[monitor:///nfsmount/log/log.d*_vd*hoge*/*/*/aaa_*_bb*-ccc*.log]

Translates underneath to something like:

[monitor:///nfsmount/log]
whitelist=^/nfsmount/log/log\.d[^/]*_vd[^/]*hoge/[^/]*/[^/]*/aaa_[^/]*_bb_[^/]*-ccc[^/]*\.log$

NOTE: The regex above may not be exactly how Splunk handles this internally, but is meant to be representative of how Splunk might implement it. And I might have just gotten the regex wrong :).

On the one hand, you can implement this yourself (perhaps more easily) using whitelist/blacklist. But, on the other, I am concerned that either way you implement this it will deeply recurse through /nfsmount/log, which may not perform very well, depending on how many files exist in this tree.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

I don't think there is a practical limit. Unless this has changed in newer versions, Splunk implements wildcards in the monitor stanza using whitelist and blacklist under the covers. So, your rule of

[monitor:///nfsmount/log/log.d*_vd*hoge*/*/*/aaa_*_bb*-ccc*.log]

Translates underneath to something like:

[monitor:///nfsmount/log]
whitelist=^/nfsmount/log/log\.d[^/]*_vd[^/]*hoge/[^/]*/[^/]*/aaa_[^/]*_bb_[^/]*-ccc[^/]*\.log$

NOTE: The regex above may not be exactly how Splunk handles this internally, but is meant to be representative of how Splunk might implement it. And I might have just gotten the regex wrong :).

On the one hand, you can implement this yourself (perhaps more easily) using whitelist/blacklist. But, on the other, I am concerned that either way you implement this it will deeply recurse through /nfsmount/log, which may not perform very well, depending on how many files exist in this tree.

melonman
Motivator

Thans, dwaddle!

0 Karma

tskinnerivsec
Contributor

Does this example monitor stanza work? I'm trying to do something very similar:
[monitor:///var/log/syslog/sw]

and this didn't pull in any data.

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...