Getting Data In

Asteriks and inputs.conf

fcastro86
New Member

Hello, I have the following path

/foo/bar[1-n]/logs/
I have several bar folders (bar1,bar2 ... bar1337 ) and inside logs each one has a ton of asdf.logs I was thinking if this is a valid input entry.

[monitor:///foo/bar*/logs/*.log]

Because so far it seems that it is not working. Thanks in advance!

0 Karma

emiller42
Motivator

That is a valid monitor stanza entry, but it's worth noting what is actually happening under the hood when you do a wildcard monitor. When dealing with wildcards, Splunk actually monitors everything that is a child to the deepest explicit part of the monitored path, and then builds a regex pattern using the wildcards to apply as a whitelist to the watched files. This can have performance considerations if the wildcards happen at a shallow point in the path.

Using the monitor stanza you provided:

[monitor:///foo/bar*/logs/*.log]

Splunk is actually going to be aware of everything that is in /foo/ on this system. Then out of those, anything that fits the full pattern is actually indexed. The key point here is that everything is known to the Splunk forwarder. If /foo/ has several thousand items in it, that's going to have a negative impact on performance, as it has to be aware of all of them to see if they match the wildcard pattern. Basically, the bottleneck can be the number of open file descriptors.

As others have said, It's a really good idea to check out the splunkd logs on the forwarder, as any errors there should help you identify what is actually going wrong.

As a side note, you can only use * and ... for wildcards in monitor stanzas. But you can use whitelist or blacklist to leverage full regex pattern matching if needed. Check the inputs.conf spec for details.

0 Karma

aholzer
Motivator

Looks ok at first glance. How many files do you have? It might just have a backlog of all the files it needs to send across.

Have you looked at "splunkd.log"? Look for any errors (on both the forwarder and indexer).

Have you ensured that the connection between the forwarder and indexer is ok?

Have you ensured that the index exists on the indexer you are sending data to?

Hope this helps

0 Karma

fcastro86
New Member

Thanks, I'll check that, thanks in advance.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...