Getting Data In

How to configure inputs.conf to setup two separate monitoring rules?

khuongdp
New Member

I have these 2 group:

[monitor:///pack/jboss/server/edu01_*/logs/server.log]
sourcetype = server_log
index = myindex

[monitor:///pack/jboss/server/staging_xxx/log/server.log]
sourcetype = server_log
index = anothterindex

list monitor only show:
/pack/jboss/server/edu01_xxx/logs/server.log
/pack/jboss/server/edu01_yyy/logs/server.log

REST API (8089) show:
parent /pack/jboss/server/staging_xxx/log/server.log
type Did not match partial whitelist '^/pack/jboss/server/edu01_[^/]*/log/server.log$'.

I looks like it's using the same rule for both. I want to separate these rules.

Tags (1)
0 Karma

sowings
Splunk Employee
Splunk Employee

The problem you're having is that a wildcard in the path specification of a monitor: stanza is implemented on the backend of a monitor: of the longest fixed path, and a whitelist = * regex to match the specific entries according to the original monitor: stanza. This means that the monitor stanza for "/pack/jboss/server/staging_xxx/log/server.log" is a descendent of the (implicit) rule: "/pack/jboss/server" (with whitelist...). If the list of edu_ subdirs is not large, you could iterate each.

You could also try this. Explicitly monitor the top-level directory, and include a whitelist to match the subpaths.

[monitor:///pack/jboss/server]
whitelist = (edu_.*|staging_xxx)/log/server.log
sourcetype = server_log

OMIT the sourcetype, but add a props.conf to include a source-based rule:

[source::///pack/jboss/server/staging_xxx/log/server.log]
index = foo
[source::///pack/jboss/server/edu_.*/log/server.log]
index = bar

(I haven't tested this particular example, but I've done things like this in the past.)

0 Karma

khuongdp
New Member

Hi

We are using a managed Splunk and I think it's not possible to use props.conf in the Universal Splunk Forwarder. http://answers.splunk.com/answers/27373/universal-forwarder-and-props-conf-and-transforms-conf.html

Any other solutions?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...