Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you collect Linux logs from files such as access.log.YY-DD-MM?

w_raza
Explorer
‎12-31-2018 06:41 AM

Hi,

I've deployed splunklight-7.2.1 and I am using universal log forwarder to forward logs from a Linux server to my Splunk server.

I'm stuck in condition where I have to get logs from a particular file which gets created a new file daily to store the logs. For example, today's logs will be stored in ../acess_log.2018-12-31 and tomorrow's logs will be stored as ../access_log.2019-01-01 and so on. Can any one please guide my what should I configure in my inputs.conf file to get these logs?

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vliggio
Communicator
‎12-31-2018 07:03 AM

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

View solution in original post

Reply
Solved! Jump to solution
Solution

vliggio
Communicator
‎12-31-2018 07:03 AM

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-31-2018 07:19 AM

Valid points. My answer was based on the OP's info, but explicit file paths are best.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

w_raza
Explorer
‎01-01-2019 01:09 AM

Hi vliggio,

Thanks for your response and explaining in detail, that helped.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-31-2018 06:45 AM

It depends on what else you don't want to monitor is in the same directory, but start with [monitor://../access_log.*].

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

w_raza
Explorer
‎01-01-2019 01:08 AM

Hi Rich,

Thanks for your quick response, that really helped and it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...