Getting Data In

Problem with monitor configuration in inputs.conf

C_Sparn
Communicator

Hello,
I want to monitor rolling logfiles with extension x.log0 to x.log9.
The problem is, that I only can monitor the files when I monitor the parent directory of the log files. If I try to set the stanza like this: [monitor://tmp/logs/x.log*] nothing happens!
How can I monitor every single file from x.log0 to x.log9 without using the parent directory?
Thanks

1 Solution

grijhwani
Motivator

Your example stanza is missing a slash.

[monitor:///tmp/logs/x.log*]

You could try monitoring the directory, and only whitelisting the desired files, although I'm not sure whether that is a deprecated mechanism:

[monitor:///tmp/logs/]
whitelist = \.log[0-9]

(No guarantees this is exactly correct, but you get the idea. We use a similar mechanism which is the inverse - i.e. we blacklist what we don't want.)

blacklist = (\.gz$|sa/sar\d+|sa/sa\d+|tmp$|\.gz\.\d+$|\.tgz$|\.bz$|\.bz2$|\.old)

View solution in original post

grijhwani
Motivator

Your example stanza is missing a slash.

[monitor:///tmp/logs/x.log*]

You could try monitoring the directory, and only whitelisting the desired files, although I'm not sure whether that is a deprecated mechanism:

[monitor:///tmp/logs/]
whitelist = \.log[0-9]

(No guarantees this is exactly correct, but you get the idea. We use a similar mechanism which is the inverse - i.e. we blacklist what we don't want.)

blacklist = (\.gz$|sa/sar\d+|sa/sa\d+|tmp$|\.gz\.\d+$|\.tgz$|\.bz$|\.bz2$|\.old)

C_Sparn
Communicator

Hello,

the * in my stanza didnt show any effect in my case, but with whitelist everything is fine. Thanks!
Greetings

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...