Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Wildcarding help in inputs.conf -- controlling directory depth

Josh
Path Finder
‎04-21-2010 09:27 AM

Inputs.conf: The stanza [monitor:///app/fao/dittradeflow/servers/.../logs] will look at all folders and subfolders within servers for a dir named logs, how can we modify this so that only the directories within the servers directory are checked for the subfolder logs

E.g. 
We want to monitor for the following:

monitor:///app/fao/dittradeflow/servers/tc3/logs or monitor:///app/fao/dittradeflow/servers/tc2/logs

  But we do not want to monitor:

    monitor:///app/fao/dittradeflow/servers/tc3/stage/logs or monitor:///app/fao/dittradeflow/servers/tc3/stage/CQS
Tags (1)
Reply

jrodman
Splunk Employee
Splunk Employee
‎04-22-2010 07:18 PM

You can use a whitelist or blacklist to constrain the input behavior, or use the wildcarding inputs to implicitly create this, eg:

[monitor:///app/fao/dittradeflow/servers/*/logs]

'...' matches any number of directory layers. '*' does not cross directory layers. Thus a matching file would have to contain /app/fao/dittratde/flow/severrs/<somedirectory>/logs This could be something ending in servers/directory/logs-file.log, though. If you want to enforce that 'logs' is a directory and not part of a filename, use:

[monitor:///app/fao/dittradeflow/servers/*/logs/]
0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-08-2010 08:39 PM

The documentation is incorrect. I'm not sure exactly what it was trying to convey, but it will get some edits.

0 Karma
Reply

drawks
Explorer
‎09-08-2010 06:28 PM

" * matches anything in that specific path segment. It cannot be used inside of a directory path; it must be used in the last segment of the path. For example /foo/*.log matches /foo/bar.log but not /foo/bar.txt or /foo/bar/test.log. "

Looks like the documentation explicitly contradicts your example.

0 Karma
Reply

thall79
Communicator
‎04-21-2010 12:56 PM

Not sure if you read this post:

http://answers.splunk.com/questions/1472/disable-monitoring-of-sub-directories

but gkanapathy suggested to another splunker to use blacklisting. Sounds like it would work for you and me.

Travis.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...