How to define inputs.conf to have 2 different kind...

dreamfeeder · ‎07-29-2015

Hi Guys,

I have the files below in a directory /var/mtapps/ashl/logs/[folderA]/[folderB]/[folderC]/
(there are many different folder A, folder B and folder C)

nohup.out
error.log
AMLKAZ0800-SplitAt_080002.log.we
err-sAMLKAZ0800.log.we
AMLKAZ0800-SplitAt_160001.log.we
secs-AMLKAZ0800.log.we
mq-sAMLKAZ0800.log.we
mq-eAMLKAZ0800.log.we
metrics-sAMLKAZ0800.log.we
AMLKAZ0800.log.we

In above files, I only want to monitor the files starts with "mq-s*" and "err-", so I set up my inputs.conf as below, but it doesn't work.
It only managed to search mq-s but not err-. Even mq-s it doesn't take all the files to fullfill the requirement.

[monitor:///var/mtapps/ashl/logs/.../.../mq-s*]
sourcetype = mqhist
index = automation
disabled=0

[monitor:///var/mtapps/ashl/logs/.../.../err-*]
sourcetype = hosterr
index = automation
disabled=0

I also tried to define like this (example below), but it still doesn't work properly and taking other files like mq-e*, metrics-s* that I don't want.

[monitor:///var/mtapps/ashl/logs/.../.../mq-s*|err-*]
sourcetype = mqhist
index = automation
disabled=0

but if I replace the ... to be the specific folder name (example below), it works. What is wrong?
I need to monitor all the folders, not only the specific folder and ideally to monitor under 2 different sourcetypes. Please help!

[monitor:///var/mtapps/ashl/logs/AMAT/ReflexionLK/AMLKAZ0800/mq-s*]
sourcetype = mqhist
index = automation
disabled=0

[monitor:///var/mtapps/ashl/logs/AMAT/ReflexionLK/AMLKAZ0800/err-*]
sourcetype = hosterr
index = automation
disabled=0

aholzel · ‎07-30-2015

maybe you should also keep an eye on this question looks the same to me:
https://answers.splunk.com/answers/290586

How to define inputs.conf to have 2 different kinds of files monitored in a directory containing wildcards?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!