Getting Data In

How to configure inputs.conf to setup two separate monitoring rules?

khuongdp
New Member

I have these 2 group:

[monitor:///pack/jboss/server/edu01_*/logs/server.log]
sourcetype = server_log
index = myindex

[monitor:///pack/jboss/server/staging_xxx/log/server.log]
sourcetype = server_log
index = anothterindex

list monitor only show:
/pack/jboss/server/edu01_xxx/logs/server.log
/pack/jboss/server/edu01_yyy/logs/server.log

REST API (8089) show:
parent /pack/jboss/server/staging_xxx/log/server.log
type Did not match partial whitelist '^/pack/jboss/server/edu01_[^/]*/log/server.log$'.

I looks like it's using the same rule for both. I want to separate these rules.

Tags (1)
0 Karma

sowings
Splunk Employee
Splunk Employee

The problem you're having is that a wildcard in the path specification of a monitor: stanza is implemented on the backend of a monitor: of the longest fixed path, and a whitelist = * regex to match the specific entries according to the original monitor: stanza. This means that the monitor stanza for "/pack/jboss/server/staging_xxx/log/server.log" is a descendent of the (implicit) rule: "/pack/jboss/server" (with whitelist...). If the list of edu_ subdirs is not large, you could iterate each.

You could also try this. Explicitly monitor the top-level directory, and include a whitelist to match the subpaths.

[monitor:///pack/jboss/server]
whitelist = (edu_.*|staging_xxx)/log/server.log
sourcetype = server_log

OMIT the sourcetype, but add a props.conf to include a source-based rule:

[source::///pack/jboss/server/staging_xxx/log/server.log]
index = foo
[source::///pack/jboss/server/edu_.*/log/server.log]
index = bar

(I haven't tested this particular example, but I've done things like this in the past.)

0 Karma

khuongdp
New Member

Hi

We are using a managed Splunk and I think it's not possible to use props.conf in the Universal Splunk Forwarder. http://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html

Any other solutions?

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...