Solved: inputs.conf is there a difference

gerdhuber · ‎02-16-2017

Hallo,

i only want to monitor files in the directory pkorb and not files in subdirectory pkorb/oldlogs
What is the right monitor ?

[monitor:///var/log/pkorb]
[monitor:///var/log/pkorb/]

or any other ?

skoelpin · ‎02-16-2017

[monitor:///var/log/pkorb/*] will forward any files sitting in the pkorb directory but will NOT forward files from sub-directories in that pkorb directory

If you wanted to ingest data from a subdirectory, it would look like

[monitor:///var/log/pkorb/.../*]

View solution in original post

skoelpin · ‎02-16-2017

[monitor:///var/log/pkorb/*] will forward any files sitting in the pkorb directory but will NOT forward files from sub-directories in that pkorb directory

If you wanted to ingest data from a subdirectory, it would look like

[monitor:///var/log/pkorb/.../*]

gerdhuber · ‎02-17-2017

thank you

skoelpin · ‎02-17-2017

Did this answer your question? If so then please accept the answer

gerdhuber · ‎02-20-2017

yes, this is what i am looking for.

skoelpin · ‎02-20-2017

Can you please accept the answer and close it out?

martin_mueller · ‎02-16-2017

I'd give this a shot:

[monitor:///var/log/pkorb]
recursive = false

Alternatively, this:

[monitor:///var/log/pkorb]
blacklist = oldlogs

The latter would recurse, but skip the oldlogs directory. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/inputsconf for specs.

inputs.conf is there a difference

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor