I am trying to index a UNC Path, but am unable to use wildcards..
Here's what I"m trying to match
\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG
I don't want to match this
\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG
The manual indicates I could use *, but am having no luck.. Have tried this..
\\IISLOGS\MYSERVER*
\\IISLOGS\MYSERVER*\
NO indexing at all occurs if I do this..
Finally able to get this to work. Ended up deleting all the configuration on my server and recreating it, so potentially their was something conflicting? Anyway, just wanted to close the loop on this, showing that you can wildcard in your inputs.conf file without using transforms... Here's three examples of syntax I used for the monitor headers that WORKED.
[monitor://\ServerLogs\prod\prod-iislogs\HS1WS*...]
[monitor://\ServerLogs\prod\prod-iislogs\HS2WS*...]
[monitor://\ServerLogs\prod\prod-iislogs\SI1WS*...]
We should be able to use your existing singular whitelist to eat the directory, but exclude everything other than your server, as you have done.
Then.. create two files in the same dir called "props.conf" & "transforms.conf" (assuming you're in the $SPLUNK_HOME/etc/apps/search/local directory
in props.conf, we can choose how events get selected and are processed by "transforms.conf". Transforms.conf will make our "index-switching" happen on the fly. Just tested it locally, seems to work just fine.
[source::...Order...]
TRANSFORMS-moveorders = toIndex1
[source::...Product...]
TRANSFORMS-moveproducts = toIndex2
[source::...Customer...]
TRANSFORMS-movecustomers = toIndex3
[toIndex1]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index1
[toIndex2]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index2
[toIndex3]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index3
Have you considered just eating \IISLOGS and using
_blacklist = YOURSERVER
http://www.splunk.com/base/Documentation/latest/Data/Whitelistorblacklistspecificincomingdata
Splunk only lets you monitor a directory once. What is your scheme for determining what data goes in which index?
Update: Did NOT work as expected... When creating a SECOND input for the same path for the second set of servers, I got a message indicating that I could not create an input with the same name..
This seems like pretty basic functionality.. Essentially, I want to create multiple indexes with files with a common path..
Awesome.. I could not get it to work using wildcards in the path, but using a WHITELIST, it worked perfectly...
.*MYSERVER.*
Thanks for the help!
Sorry... need to clarify my example. Was hoping not to have a seperate entry for each server..
Need to match the following..
\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER02\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER03\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER04\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER05\W3SVC01\EX10.LOG
Don't want to match..
\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG
I updated my answer, basically just use more wildcards.
Your examples seem a bit odd to me, but to match your .LOG files in your example you would use
\\IISLOGS\MYSERVER01\W3SVC01\*.LOG
[EDIT]
You could use the wildcard as such:
\\IISLOGS\MYSERVER*\W3SVC01\*.LOG