Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About xdaxdb
xdaxdb
Explorer
Member since:
01-29-2013
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 01-29-2013 |
Activity Feed
- Karma Re: Why am I getting unexpected behavior specifying files as data inputs versus directories? for ShaneNewman. 06-05-2020 12:47 AM
- Posted Re: Why am I getting unexpected behavior specifying files as data inputs versus directories? on Getting Data In. 10-23-2014 10:01 AM
- Posted Re: Why am I getting unexpected behavior specifying files as data inputs versus directories? on Getting Data In. 10-23-2014 09:30 AM
- Posted Re: Why am I getting unexpected behavior specifying files as data inputs versus directories? on Getting Data In. 10-23-2014 09:07 AM
- Posted Re: Why am I getting unexpected behavior specifying files as data inputs versus directories? on Getting Data In. 10-22-2014 03:58 PM
- Posted Re: Why is my auditd log data not appearing in Splunk and don't see any errors in splunkd.log on forwarder or indexers? on Getting Data In. 10-22-2014 10:09 AM
- Posted Why am I getting unexpected behavior specifying files as data inputs versus directories? on Getting Data In. 10-22-2014 10:05 AM
- Tagged Why am I getting unexpected behavior specifying files as data inputs versus directories? on Getting Data In. 10-22-2014 10:05 AM
- Tagged Why am I getting unexpected behavior specifying files as data inputs versus directories? on Getting Data In. 10-22-2014 10:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
10-23-2014
10:01 AM
Don't try to put files in the same directory into different indexes. Either put the logs destined for different indexes in different directories or put them all in the same index.
Using the whitelist approach with multiple indexes won't work because your [monitor:///] stanzas will have the same name and Splunk seems to ignore all but the last stanza.
In regards to the host = being blank. I was instructed to do that by an Splunk engineer. I haven't had any issues with host tagging. I would rather have no host tag than have the tag default to the syslog server itself because that throws off my reports. The syslog server itself is a server that needs to be managed and monitored.
... View more
10-23-2014
09:30 AM
Why can't I comment on people's answers? That seems counter productive.
... View more
10-23-2014
09:07 AM
Well it's your site. But I think the subject line implies things that are not really inline with what I am asking. THis is my first time setting up Splunk I would rather have someone tell me I'm using the wrong approach than help me waste hours, or days trying to shoe horn it in the way I initially tried to do it.
... View more
10-22-2014
03:58 PM
Don't edit my question unless you plan to answer it.
This subject makes it sound like I didn't do any research at all.
... View more
10-22-2014
10:09 AM
I'm guessing it has something to do with user roles / permissions on the user account you are searching with.
But, I am very new to splunk so I could be wrong
... View more
10-22-2014
10:05 AM
I am not getting expected behavior when specifying inputs.
All my logs are in a folder called "/syslog/"
1.3M -rw-r--r-- 1 root root 1.3M Oct 22 09:42 cron
8.6M -rw-r--r-- 1 root root 8.6M Oct 21 17:26 cron.1413937561.gz
4.3M -rw-r--r-- 1 root root 4.2M Oct 22 09:42 maillog
1.2M -rw-r--r-- 1 root root 1.2M Oct 21 17:08 maillog.1413936480.gz
8.1M -rw-r--r-- 1 root root 8.1M Oct 22 09:42 messages
868K -rw-r--r-- 1 root root 866K Oct 22 04:59 messages.1413979164.gz
872K -rw-r--r-- 1 root root 869K Oct 22 06:40 messages.1413985201.gz
872K -rw-r--r-- 1 root root 871K Oct 22 08:20 messages.1413991204.gz
636K -rw-r--r-- 1 root root 632K Oct 22 09:42 secure
1.8M -rw-r--r-- 1 root root 1.8M Oct 21 17:07 secure.1413936453.gz
I have an input defined as:
[monitor:///syslog/messages*]
disabled = false
followTail = 0
host =
host_regex =
sourcetype = syslog
index = messages
I want all log files called "messages" or "messages..gz" to be indexed in the messages index. However currently all logs in the directory are being indexed in the messages index.
Do I need to only specify directories as inputs? I thought I could specify a file.
Edit -
I was using the splunk list monitor command, I see the problem sort of. one of my inputs is being treated as a directory and is matching this it seems like it shouldn't and the other inputs are seen as files and not matching even though they seem like they should.
Monitored Directories:
...
/syslog/secur*
/syslog/cron
/syslog/cron.1413937561.gz
/syslog/maillog
/syslog/maillog.1413936480.gz
/syslog/messages
/syslog/messages.1413936430.gz
/syslog/messages.1413942613.gz
/syslog/messages.1413948715.gz
/syslog/messages.1413954849.gz
/syslog/messages.1413960903.gz
/syslog/messages.1413967086.gz
/syslog/messages.1413973094.gz
/syslog/messages.1413979164.gz
/syslog/messages.1413985201.gz
/syslog/messages.1413991204.gz
/syslog/messages.1413997262.gz
/syslog/messages.1414003369.gz
/syslog/messages.1414009642.gz
/syslog/messages.1414015924.gz
/syslog/secure
/syslog/secure.1413936453.gz
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/syslog/boo*
/syslog/cro*
/syslog/maillo*
/syslog/message*
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
