I have these 2 group:
[monitor:///pack/jboss/server/edu01_*/logs/server.log]
sourcetype = server_log
index = myindex
[monitor:///pack/jboss/server/staging_xxx/log/server.log]
sourcetype = server_log
index = anothterindex
list monitor only show:
/pack/jboss/server/edu01_xxx/logs/server.log
/pack/jboss/server/edu01_yyy/logs/server.log
REST API (8089) show:
parent /pack/jboss/server/staging_xxx/log/server.log
type Did not match partial whitelist '^/pack/jboss/server/edu01_[^/]*/log/server.log$'.
I looks like it's using the same rule for both. I want to separate these rules.
The problem you're having is that a wildcard in the path specification of a monitor: stanza is implemented on the backend of a monitor: of the longest fixed path, and a whitelist = * regex to match the specific entries according to the original monitor: stanza. This means that the monitor stanza for "/pack/jboss/server/staging_xxx/log/server.log" is a descendent of the (implicit) rule: "/pack/jboss/server" (with whitelist...). If the list of edu_ subdirs is not large, you could iterate each.
You could also try this. Explicitly monitor the top-level directory, and include a whitelist to match the subpaths.
[monitor:///pack/jboss/server] whitelist = (edu_.*|staging_xxx)/log/server.log sourcetype = server_log
OMIT the sourcetype, but add a props.conf to include a source-based rule:
[source::///pack/jboss/server/staging_xxx/log/server.log] index = foo
[source::///pack/jboss/server/edu_.*/log/server.log] index = bar
(I haven't tested this particular example, but I've done things like this in the past.)
Hi
We are using a managed Splunk and I think it's not possible to use props.conf in the Universal Splunk Forwarder. http://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html
Any other solutions?