Getting Data In

How do I "watch" a specific log file and only send updates based on specific strings?

sdickson
New Member

I need to watch log files for certain error strings only. Ideally this would be done on the machine that contains the file to be monitored, so I am assuming that each machine that contains monitored files would need to be configured as a forwarder, but this is where I begin to get lost. I am a newbie to splunk so please forgive my novice question. Can anyone tell me what files need to be altered on the forwarder to filter and forward the strings? I do have this configured so that everytime the log file is altered it updates the reciever.

Tags (2)
0 Karma

Brian_Osburn
Builder

The high level answer would be to edit the inputs.conf file on the forwarder to point it to the right files.

See http://www.splunk.com/base/Documentation/4.2.2/Data/Usingforwardingagents which will explain how to set up forwarding.

That will set up the file for forwarding.

The second part of your question around only indexing specific strings can be answered in two ways. First, the easiest method is to just index the entire file, and then just set up a search to alert on your error messages.

The second option is if you want to just index the strings you want. You will need to set up a transforms.conf to use the sed-cmd to keep only the strings that match your regex. You can see more at http://www.splunk.com/base/Documentation/4.2.2/Admin/Propsconf

Also, might want to check out the nullqueue http://www.splunk.com/base/Documentation/4.2.2/Deploy/Routeandfilterdatad (thanks DuckFez!)

The second option is a little more complicated then the first option.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...