Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parsing custom log names into different indexes. Same folder.

nelsonb
Explorer
‎10-27-2011 09:59 AM

My question has to deal with regex and the inputs.conf. It's new to me so I'm taking it slow. We have all of our custom app logs dumped into a '//inHouseLogs/' folder on our servers. Right now I'm attempting to split these logs into indexes for each program. Basically the file structure in the folder looks like this:

ProgramOne.exe.45624.1.username1.log.log
ProgramOne.exe.56782.1.username2.log.log
ProgramOne.exe.45624.1.username1.log.log.1
ProgramOne.exe.45624.1.username1.log.log.2
ProgramTwo.exe.95862.1.username3.log.log
ProgramTwo.exe.95862.1.username3.log.log.1

ProgramThree.exe.85645.1.username4.log.log

And here is how I have the inputs.conf on the universal forwarder (\\SplunkUniversalForwarder\etc\system\local) setup for it:

[default]
host = server001

[monitor://c:\inHouseLogs\ProgramOne(.*)/.log$(.*)]
disabled = false
sourcetype = programOne_logs
index = programOne

[monitor://c:\inHouseLogs\ProgramTwo(.*)/.log$(.*)]
disabled = false
sourcetype = programTwo_logs
index = programTwo

[WinEventLog:Application]
disabled = 0
start_from = newest
index = system

[WinEventLog:System]
disabled = 0
current_only = 1
index = system

================================

Does this good or am I doing something wrong? Also should I be editing the indexes.conf in \etc\system\local in or \etc\apps\search\local

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎10-27-2011 10:38 AM

Nelsonbarringer,
The regexes on the monitor header may not do what you want to do. The asterisk (*) matches anything in a single path segment while "..." will recurse through directories.

I think you'd be better off using whitelist and blacklist under your monitor stanzas.

Check here for more info on white/blacklisting: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...