Getting Data In

Bug in Universal Forwarder? inputs.conf monitor and recursive = false

elof
Path Finder

Should it really be like this? I think it is a bug.

In /var/log I have lots of files and dirs.
I want to monitor the files in /var/log, but I don't want to recurse through all the subdirs. I'm only interested in a few specific subfolders.

In inputs.conf of my universal forwarder (on a Debian machine) I have stanzas like this:

### Files in /var/log
[monitor:///var/log]
disabled = false
index = foo
sourcetype = syslog
ignoreOlderThan = 14d
recursive = false
blacklist = (\.gz|\.\d|/all.log|/faillog|/lastlog|/wtmp)$

### Apache logs
[monitor:///var/log/apache2]
disabled = false
index = foo
ignoreOlderThan = 14d
recursive = false
blacklist = (\.gz|\.\d)$

### qqq logs
[monitor:///var/log/qqq]
disabled = false
index = foo
sourcetype = qqq
ignoreOlderThan = 14d
recursive = false
blacklist = (\.gz|\.\d)$

Bug/problem:
Only the files in /var/log (such as /var/log/messages) get indexed! The UF is not starting to monitor the apache2 nor qqq directories. 😞

Apparently the option "recursive = false" in the first stanza for /var/log is not constrained to that stanza, but also put restrictions on all other stanzas related to the /var/log path.

If I comment out the first stanza (or its option "recursive = false"), the other stanzas start working.

Have I missed some vital keyword/option in the manual, 'cause this can't be how Splunk is supposed to behave, is it?

(both Debian and the UF use the latest version)

0 Karma
1 Solution

elof
Path Finder

Not a solution to this bug, but a workaround:

I removed all occurrances of the problematic option recursive.
In its place I did two changes:
* instead of monitoring a dir, /var/log, I monitor the items within the dir, /var/log/*
* I added a blacklist regexp filter to exclude any and all subfolders, /var/log/.*/

Result: I monitor all files in the dir but don't recurse into any subfolders. In my two subfolders of interest I do the same.

Example:

[monitor:///var/log/*]
blacklist = /var/log/.*/
blacklist = (\.gz|\.\d|/all.log|/faillog|/lastlog|/wtmp)$
disabled = false
index = foo
sourcetype = syslog
ignoreOlderThan = 14d

### Apache logs
[monitor:///var/log/apache2/*]
blacklist = /var/log/apache2/.*/
blacklist = (\.gz|\.\d)$
disabled = false
index = foo
ignoreOlderThan = 14d

### qqq logs
[monitor:///var/log/qqq/*]
blacklist = /var/log/qqq/.*/
blacklist = (\.gz|\.\d)$
disabled = false
index = foo
sourcetype = qqq
ignoreOlderThan = 14d

View solution in original post

jayavardhand
New Member

This question of yours helped me identify an issue which I had no clue of why when I set recursive = false on a sub folder doesn't monitor files in that folder. I've noticed a parent folder setting of recursive = false and that appears to be like an obvious issue.

0 Karma

neelamssantosh
Contributor

why to give 'blacklist' of Specific extensions of compressed files to exclude, where splunk ignores
packed_extensions_list:
bz, bz2, tbz, tbz2, Z, gz, tgz, tar, zip

0 Karma

elof
Path Finder

Not a solution to this bug, but a workaround:

I removed all occurrances of the problematic option recursive.
In its place I did two changes:
* instead of monitoring a dir, /var/log, I monitor the items within the dir, /var/log/*
* I added a blacklist regexp filter to exclude any and all subfolders, /var/log/.*/

Result: I monitor all files in the dir but don't recurse into any subfolders. In my two subfolders of interest I do the same.

Example:

[monitor:///var/log/*]
blacklist = /var/log/.*/
blacklist = (\.gz|\.\d|/all.log|/faillog|/lastlog|/wtmp)$
disabled = false
index = foo
sourcetype = syslog
ignoreOlderThan = 14d

### Apache logs
[monitor:///var/log/apache2/*]
blacklist = /var/log/apache2/.*/
blacklist = (\.gz|\.\d)$
disabled = false
index = foo
ignoreOlderThan = 14d

### qqq logs
[monitor:///var/log/qqq/*]
blacklist = /var/log/qqq/.*/
blacklist = (\.gz|\.\d)$
disabled = false
index = foo
sourcetype = qqq
ignoreOlderThan = 14d
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...