PROPS.CONF

richnavis · ‎05-05-2011

I am trying to index a UNC Path, but am unable to use wildcards..

Here's what I"m trying to match

\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG

I don't want to match this

\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG

The manual indicates I could use *, but am having no luck.. Have tried this..

\\IISLOGS\MYSERVER*
\\IISLOGS\MYSERVER*\

NO indexing at all occurs if I do this..

richnavis · ‎05-09-2011

Finally able to get this to work. Ended up deleting all the configuration on my server and recreating it, so potentially their was something conflicting? Anyway, just wanted to close the loop on this, showing that you can wildcard in your inputs.conf file without using transforms... Here's three examples of syntax I used for the monitor headers that WORKED.

[monitor://\ServerLogs\prod\prod-iislogs\HS1WS*...]

[monitor://\ServerLogs\prod\prod-iislogs\HS2WS*...]

[monitor://\ServerLogs\prod\prod-iislogs\SI1WS*...]

Michael_Wilde · ‎05-05-2011

We should be able to use your existing singular whitelist to eat the directory, but exclude everything other than your server, as you have done.

Then.. create two files in the same dir called "props.conf" & "transforms.conf" (assuming you're in the $SPLUNK_HOME/etc/apps/search/local directory
in props.conf, we can choose how events get selected and are processed by "transforms.conf". Transforms.conf will make our "index-switching" happen on the fly. Just tested it locally, seems to work just fine.

PROPS.CONF

[source::...Order...]
TRANSFORMS-moveorders = toIndex1

[source::...Product...]
TRANSFORMS-moveproducts = toIndex2

[source::...Customer...]
TRANSFORMS-movecustomers = toIndex3

TRANSFORMS.CONF

[toIndex1]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index1

[toIndex2]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index2

[toIndex3]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index3

Michael_Wilde · ‎05-05-2011

Have you considered just eating \IISLOGS and using
_blacklist = YOURSERVER

http://www.splunk.com/base/Documentation/latest/Data/Whitelistorblacklistspecificincomingdata

Michael_Wilde · ‎05-05-2011

Splunk only lets you monitor a directory once. What is your scheme for determining what data goes in which index?

richnavis · ‎05-05-2011

Update: Did NOT work as expected... When creating a SECOND input for the same path for the second set of servers, I got a message indicating that I could not create an input with the same name..

This seems like pretty basic functionality.. Essentially, I want to create multiple indexes with files with a common path..

richnavis · ‎05-05-2011

Awesome.. I could not get it to work using wildcards in the path, but using a WHITELIST, it worked perfectly...

.*MYSERVER.*

Thanks for the help!

richnavis · ‎05-05-2011

Sorry... need to clarify my example. Was hoping not to have a seperate entry for each server..
Need to match the following..

\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER02\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER03\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER04\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER05\W3SVC01\EX10.LOG

Don't want to match..

\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG

ftk · ‎05-05-2011

I updated my answer, basically just use more wildcards.

ftk · ‎05-05-2011

Your examples seem a bit odd to me, but to match your .LOG files in your example you would use

\\IISLOGS\MYSERVER01\W3SVC01\*.LOG

[EDIT]
You could use the wildcard as such:

\\IISLOGS\MYSERVER*\W3SVC01\*.LOG

Are Wildcards supported for use with UNC Paths?

PROPS.CONF

TRANSFORMS.CONF

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes