Hi,
I'm trying to index a directory, that has subdirectories in this format:
-Directory
---Sub Directory
-----Logs
---Sub Directory
-----Logs
---Sub Directory
-----Logs
Like the above, and basically I want to add 1 data input, which would look something like /directory/.../logs so the ... can be any of the sub directory names. Please can somebody help with some syntax on how to do this.
I look forward to your response.
Thanks
Hi markthompson,
that's exactly what you need to do, create a monitor stanza in inputs.conf (or in the UI, data inputs) that looks likt this:
[monitor://directory/.../Logs/*]
see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Specifyinputpathswithwildcards
hope that helps ...
cheers, MuS
Hi markthompson,
that's exactly what you need to do, create a monitor stanza in inputs.conf (or in the UI, data inputs) that looks likt this:
[monitor://directory/.../Logs/*]
see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Specifyinputpathswithwildcards
hope that helps ...
cheers, MuS
Hey MuS, can you tell me the path for the inputs.conf please. splunk -> etc?
Hi, you would do that on the directory source server and in etc/system/local/inputs.conf
for example
You can use wildcards in the directory path. I often use something like this:
[monitor:///export/oracle/diag/rdbms/*/*/trace/alert*.log]
to pick up logs for all of my databases with a single monitor.