Getting Data In

using wildcard to index logs monitor config in inputs.conf fails

jrdba
Explorer

Hi folks. We are currently trying to pick up some log files by using a wildcard settings in our inputs.conf file. We replaced the portion where different server names are filled in with *, but are not getting logs being pulled on the search head. My fellow Splunk engineer explained it in details below. This is in linux O/S. Please kindly advise. Thanks much.

We have 5 servers with file path:

/opt/ibm/websphere61/appserver/profiles/[servername]/TeamConnect/logs/

I want the .log files in this directory on each server.

I’ve configured the monitor:
[monitor:///opt/ibm/websphere61/appserver/profiles/*/TeamConnect/logs/]
recursive = false

but the files are not coming in.

Tags (2)
0 Karma
1 Solution

jayannah
Builder
  1. add * at the end of the path (i.e after /logs/ , but not visible due the editor issue may be)
    [monitor:///opt/ibm/websphere61/appserver/profiles//TeamConnect/logs/ ]

  2. check if the owner of the splunkd process has the read permission to this path

  3. is "ls -l /opt/ibm/websphere61/appserver/profiles//TeamConnect/logs/" list all the files for the same user running Splunkd??

let me know if you are still facing issues...

View solution in original post

jrdba
Explorer

Thanks jayannah. My fellow splunk admin used your recommendation + "recursive = true" as a second line and it worked

Thanks ddrillic for chiming in as well 🙂

ddrillic
Ultra Champion

The syntax which works for us is ... instead of the *. So, it should read –

[monitor:///opt/ibm/websphere61/appserver/profiles/.../TeamConnect/logs/]

Hopefully it would work for you ; -)

Regards,
Dan

jayannah
Builder
  1. add * at the end of the path (i.e after /logs/ , but not visible due the editor issue may be)
    [monitor:///opt/ibm/websphere61/appserver/profiles//TeamConnect/logs/ ]

  2. check if the owner of the splunkd process has the read permission to this path

  3. is "ls -l /opt/ibm/websphere61/appserver/profiles//TeamConnect/logs/" list all the files for the same user running Splunkd??

let me know if you are still facing issues...

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...