Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure inputs.conf to setup two separate monitoring rules?

khuongdp
New Member
‎10-21-2014 07:19 AM

I have these 2 group:

[monitor:///pack/jboss/server/edu01_*/logs/server.log]
sourcetype = server_log
index = myindex

[monitor:///pack/jboss/server/staging_xxx/log/server.log]
sourcetype = server_log
index = anothterindex

list monitor only show:
/pack/jboss/server/edu01_xxx/logs/server.log
/pack/jboss/server/edu01_yyy/logs/server.log

REST API (8089) show:
parent /pack/jboss/server/staging_xxx/log/server.log
type Did not match partial whitelist '^/pack/jboss/server/edu01_[^/]*/log/server.log$'.

I looks like it's using the same rule for both. I want to separate these rules.

Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-21-2014 04:52 PM

The problem you're having is that a wildcard in the path specification of a monitor: stanza is implemented on the backend of a monitor: of the longest fixed path, and a whitelist = * regex to match the specific entries according to the original monitor: stanza. This means that the monitor stanza for "/pack/jboss/server/staging_xxx/log/server.log" is a descendent of the (implicit) rule: "/pack/jboss/server" (with whitelist...). If the list of edu_ subdirs is not large, you could iterate each.

You could also try this. Explicitly monitor the top-level directory, and include a whitelist to match the subpaths.

[monitor:///pack/jboss/server]
whitelist = (edu_.*|staging_xxx)/log/server.log
sourcetype = server_log

OMIT the sourcetype, but add a props.conf to include a source-based rule:

[source::///pack/jboss/server/staging_xxx/log/server.log]
index = foo

[source::///pack/jboss/server/edu_.*/log/server.log]
index = bar

(I haven't tested this particular example, but I've done things like this in the past.)

0 Karma
Reply

khuongdp
New Member
‎10-22-2014 12:07 AM

Hi

We are using a managed Splunk and I think it's not possible to use props.conf in the Universal Splunk Forwarder. http://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html

Any other solutions?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...