Getting Data In

How many wild cards (*) can I put in monitoring path?

melonman
Motivator

Hi

I have configured the monitor path of inputs.conf.

/nfsmount/log/log.d*_vd*hoge*/*/*/aaa_*_bb*-ccc*.log

My question is how many wildcard characters I can put in the path.
Is there any limitation of use of wildcard in monitor path?

I have checked the following articles, but still can not find the answer...

http://splunk-base.splunk.com/answers/13613/use-of-wild-card-character-in-monitor-path
http://www.splunk.com/base/Documentation/latest/Data/Specifyinputpathswithwildcards

Any thought?

Thank you in advance!

Tags (1)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

I don't think there is a practical limit. Unless this has changed in newer versions, Splunk implements wildcards in the monitor stanza using whitelist and blacklist under the covers. So, your rule of

[monitor:///nfsmount/log/log.d*_vd*hoge*/*/*/aaa_*_bb*-ccc*.log]

Translates underneath to something like:

[monitor:///nfsmount/log]
whitelist=^/nfsmount/log/log\.d[^/]*_vd[^/]*hoge/[^/]*/[^/]*/aaa_[^/]*_bb_[^/]*-ccc[^/]*\.log$

NOTE: The regex above may not be exactly how Splunk handles this internally, but is meant to be representative of how Splunk might implement it. And I might have just gotten the regex wrong :).

On the one hand, you can implement this yourself (perhaps more easily) using whitelist/blacklist. But, on the other, I am concerned that either way you implement this it will deeply recurse through /nfsmount/log, which may not perform very well, depending on how many files exist in this tree.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

I don't think there is a practical limit. Unless this has changed in newer versions, Splunk implements wildcards in the monitor stanza using whitelist and blacklist under the covers. So, your rule of

[monitor:///nfsmount/log/log.d*_vd*hoge*/*/*/aaa_*_bb*-ccc*.log]

Translates underneath to something like:

[monitor:///nfsmount/log]
whitelist=^/nfsmount/log/log\.d[^/]*_vd[^/]*hoge/[^/]*/[^/]*/aaa_[^/]*_bb_[^/]*-ccc[^/]*\.log$

NOTE: The regex above may not be exactly how Splunk handles this internally, but is meant to be representative of how Splunk might implement it. And I might have just gotten the regex wrong :).

On the one hand, you can implement this yourself (perhaps more easily) using whitelist/blacklist. But, on the other, I am concerned that either way you implement this it will deeply recurse through /nfsmount/log, which may not perform very well, depending on how many files exist in this tree.

melonman
Motivator

Thans, dwaddle!

0 Karma

tskinnerivsec
Contributor

Does this example monitor stanza work? I'm trying to do something very similar:
[monitor:///var/log/syslog/sw]

and this didn't pull in any data.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...