Solved: How to monitor a log file on UNIX where file name ...

rohithmn3 · ‎04-20-2017

Hi Team,

My file name looks like below:

SASMeta_MetadataServer_2017-04-21_auq4066l_9175164.log
<-----constant------->_<cur-date>_<host>_<PID>.log

How shall i monitor this file content, it's a rotating file and each day a new file gets created..!

inputs.conf

[monitor:///var/logs/system/local]
whitelist =

What would be the whitelist for the above filename..!?
Please help here.

Regards,
Rohith

dineshraj9 · ‎04-20-2017

You could configure the inputs this way -

[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log] 
index = index_name 
sourcetype = sourcetype_name
crcSalt=<SOURCE>

So any log file which starts with "SASMeta_MetadataServer_" will be read.

View solution in original post

dineshraj9 · ‎04-20-2017

You could configure the inputs this way -

[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log] 
index = index_name 
sourcetype = sourcetype_name
crcSalt=<SOURCE>

So any log file which starts with "SASMeta_MetadataServer_" will be read.

rohithmn3 · ‎04-20-2017

Hi Dinesh,

This monitor all files that starts with SASMeta_MetadataServer_*. In the above path there are multiple files and all starts with the same. So i don't want to monitor all. Is there a way i can only monitor the latest file..!?

dineshraj9 · ‎04-20-2017

Hi Rohith,

You could add an ignoreOlderThan setting in inputs.conf.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf

[monitor:///var/logs/system/local/SASMeta_MetadataServer_*.log] 
index = index_name 
sourcetype = sourcetype_name
crcSalt=<SOURCE>
ignoreOlderThan = 2d

How to monitor a log file on UNIX where file name has date and PID which which are not static all the time.?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!