How to add custom log file to splunk universal forwarder?
I have an application which generate the log. I need to add this log file to splunk universal forwarder. So that it could be monitored by indexer.
Thanks,
Tirumal
This is done in the inputs.conf file.
On the forwarder, edit $SPLUNK_HOME/etc/system/local/inputs.conf
(create the file if it does not exist, but ensure the owner and group is the same user Splunk runs as on that system). Add a section like this:
[monitor:///path/to/your/app/log/directory]
disabled = false
sourcetype = yoursourcetypehere
index = yourappindexhere
Change the path to the appropriate directory for your application logs. Also, name the sourcetype with the name as you want it to appear in Splunk as the sourcetype, such as the name of your application - which would allow you to provide these logs from multiple systems for the same type of application with them all as the same sourcetype. If you want it to go into its own index, specify the name of the index, which must be created on the indexer, on that line. If you want the data to go into the default index, remove or comment out that line.
If you want to specify a specific name format for the log file in a directory full of other files, then add this line to the above stanza, as well:
whitelist = *.log
(Or whatever regex you need to match your filename pattern like myapp*.log
.)
Should this source type already exist in indexer? Or can it be a new one?
".log" is not a valid regular expression because "" is a quantifier and must be preceded by a pattern.
"myapp*.log" is a valid regular expression, but it probably doesn't match the way you want. It literally reads as
(anything, "myap", zero or more "p" characters, ANY character, "log", anything)
The regular expression you probably want is
\.log$
which reads as
(anything, literal ".", "log", end of line)
or
^myapp\.log$
which reads as
(beginning of line, "myapp", literal ".", "log", end of line)
This is done in the inputs.conf file.
On the forwarder, edit $SPLUNK_HOME/etc/system/local/inputs.conf
(create the file if it does not exist, but ensure the owner and group is the same user Splunk runs as on that system). Add a section like this:
[monitor:///path/to/your/app/log/directory]
disabled = false
sourcetype = yoursourcetypehere
index = yourappindexhere
Change the path to the appropriate directory for your application logs. Also, name the sourcetype with the name as you want it to appear in Splunk as the sourcetype, such as the name of your application - which would allow you to provide these logs from multiple systems for the same type of application with them all as the same sourcetype. If you want it to go into its own index, specify the name of the index, which must be created on the indexer, on that line. If you want the data to go into the default index, remove or comment out that line.
If you want to specify a specific name format for the log file in a directory full of other files, then add this line to the above stanza, as well:
whitelist = *.log
(Or whatever regex you need to match your filename pattern like myapp*.log
.)
Forgive me, I'm new to this. I've updated the config file and restarted the service. Is there anything else I should be doing to be able to search logs on my instance or do i need to do some sort of registration over on the splunk instance? We're using cloud.
Many Thanks!
Thank you jtrucks. Its working