Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Expand inputs.conf with wildcards

tyronetv
Communicator
‎11-12-2013 01:15 PM

Does anyone know of a tool that will 'expand' the monitor stanza from inputs.conf on a universalforwarder to show an example of logs to be watched?

I.e., I have a monitor stanza:

[monitor:///path/to/some/*/dir]
whitelist = /file_name(s).log$

And before I restart splunk and do the 'hope it works' I was wondering if there was a tool that would, using Splunk's logic, show me all the files the above would 'see' for monitoring.

I have multiple 'client' directories (being replaced above by the *) where some have specific logs and some do not. I would rather write one monitor for each type of log verses writing a new monitor stanza per client dir/log type.

And I need to test it before pulling the trigger and not impact other, already configured, data-gathering.

Tags (1)
0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 01:38 PM

A fairly simplistic approach is just to use ls:

ls -d /path/to/some/*/dir
ls -d /path/to/some/*/dir/file_name*.log

The results is how the system will glob the filenames and create paths.

Also, you could quickly write something in perl, python, C, or any other language with a similar function. Then you could have that program pull any line with "[monitor…]" to parse the paths and glob them for you.

For a working way to do this really quick and dirty, do this:

ls -d $( awk '/monitor/' inputs.conf| sed -e 's|\[monitor://||' -e 's|\]$||')

Obviously adjust where you run this or specify full path to inputs.conf.

--
Jesse Trucks
Minister of Magic
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 02:42 PM

There isn't a premade tool that does that to date that anyone has published. It might make a good feature request to Splunk.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

tyronetv
Communicator
‎11-12-2013 02:38 PM

The awk statement is fine and almost a mirror of what I've already done. I am looking for something that essentially mimics the expansion of the entire monitor stanza to include file names identified by the white/black lists as well as the monitor line.

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎11-12-2013 02:04 PM

I assume the poster downvoted me because I didn't provide a ready to use answer, so now there is one. Please upvote it and accept as working if you test this and it works.

Thanks.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...