Hi everyone, I have 3 folders called: www1, www2, www3, and I would like to get only 2 types of logs:
security.log and access.log.
I did something like that:
[monitor:///opt/log/www*/access.log]
sourcetype=linux_secure
host_segment=3 host=www*
index=web
[monitor:///opt/log/www*/secure.log]
host_segment=3
host=www*
index=main
But it's not obviously working, how can I correct this?
what are you doing with host=www*. You're already telling splunk to assign the host value from the 3rd segment of the log path...
It wasn't working, so I write again host=www*, to try...
try this:
[monitor:///opt/log/www*/access.log]
sourcetype=access_combined
host_segment=3
index=web
[monitor:///opt/log/www*/secure.log]
sourcetype=linux_secure
host_segment=3
index=main
whitelist=security.log$|access.log$, do you think I can monitor these using regular expressions?