Solved: How to add custom log file to splunk universal for...

tirusplunk · ‎11-13-2013

How to add custom log file to splunk universal forwarder?

I have an application which generate the log. I need to add this log file to splunk universal forwarder. So that it could be monitored by indexer.

Thanks,
Tirumal

jtrucks · ‎11-13-2013

This is done in the inputs.conf file.

On the forwarder, edit $SPLUNK_HOME/etc/system/local/inputs.conf (create the file if it does not exist, but ensure the owner and group is the same user Splunk runs as on that system). Add a section like this:

[monitor:///path/to/your/app/log/directory]
disabled = false
sourcetype = yoursourcetypehere
index = yourappindexhere

Change the path to the appropriate directory for your application logs. Also, name the sourcetype with the name as you want it to appear in Splunk as the sourcetype, such as the name of your application - which would allow you to provide these logs from multiple systems for the same type of application with them all as the same sourcetype. If you want it to go into its own index, specify the name of the index, which must be created on the indexer, on that line. If you want the data to go into the default index, remove or comment out that line.

If you want to specify a specific name format for the log file in a directory full of other files, then add this line to the above stanza, as well:

whitelist = *.log

(Or whatever regex you need to match your filename pattern like myapp*.log.)

--
Jesse Trucks
Minister of Magic

View solution in original post

k_harini · ‎06-05-2017

Should this source type already exist in indexer? Or can it be a new one?

FloydATC · ‎02-17-2015

".log" is not a valid regular expression because "" is a quantifier and must be preceded by a pattern.

"myapp*.log" is a valid regular expression, but it probably doesn't match the way you want. It literally reads as
(anything, "myap", zero or more "p" characters, ANY character, "log", anything)

The regular expression you probably want is

\.log$

which reads as
(anything, literal ".", "log", end of line)

or

^myapp\.log$

which reads as
(beginning of line, "myapp", literal ".", "log", end of line)

jtrucks · ‎11-13-2013

This is done in the inputs.conf file.

On the forwarder, edit $SPLUNK_HOME/etc/system/local/inputs.conf (create the file if it does not exist, but ensure the owner and group is the same user Splunk runs as on that system). Add a section like this:

[monitor:///path/to/your/app/log/directory]
disabled = false
sourcetype = yoursourcetypehere
index = yourappindexhere

Change the path to the appropriate directory for your application logs. Also, name the sourcetype with the name as you want it to appear in Splunk as the sourcetype, such as the name of your application - which would allow you to provide these logs from multiple systems for the same type of application with them all as the same sourcetype. If you want it to go into its own index, specify the name of the index, which must be created on the indexer, on that line. If you want the data to go into the default index, remove or comment out that line.

If you want to specify a specific name format for the log file in a directory full of other files, then add this line to the above stanza, as well:

whitelist = *.log

(Or whatever regex you need to match your filename pattern like myapp*.log.)

--
Jesse Trucks
Minister of Magic

jbarger · ‎02-13-2024

Forgive me, I'm new to this. I've updated the config file and restarted the service. Is there anything else I should be doing to be able to search logs on my instance or do i need to do some sort of registration over on the splunk instance? We're using cloud.

Many Thanks!

tirusplunk · ‎11-19-2013

Thank you jtrucks. Its working

How to add custom log file to splunk universal forwarder?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!