Is there a way to configure SplunkForwarder inputs.conf to do the following?
The goal is to monitor a few directories and tail "default_log_name" application logs but if a "splunk_preferred_log" file exist, then just tail those ones instead, do not pickup the default log files
Example:
A. If only /apps/app_name/logs/DefaultAppLog_Date.log exists = monitor that one
B. If both /apps/app_name/logs/DefaultAppLog_Date.log and
/apps/app_name/logs/SplunkPreferredLog_Date.log
exist, then monitor just /apps/app_name/logs/SplunkPreferredLog_Date.log
Thanks
Hi Ovi
personally I would do this with a script which checks the files for you. use for example your provided A & B and if there is a match symlinks the log into a separate directory which is monitored by splunk.
hope this helps, cheers
MuS
well, your provided example is a simple 'if else' script and I still think it is the best and easiest way to check for the files you want and not for any rolled ones. feel free to supply your solution 🙂
Nope....this solution doesn't work in my case
Too many factors to consider like rolling log names by date/time, various log rollup times throughout the day, adjust for outages or maintenance windows..etc
Too complex to manage all these possible conditions in a script and having to create/maintain symlinks all the time
Still looking for a simpler solution
Thanks man, that's a pretty sweet idea.
My other choice would have been to write a shell script to:
-> search for log files -> "patch" the inputs.conf accordingly -> restart splunkd,
but your suggestion is much better.
I'll give it a try