Splunk Enterprise

How do you collect Linux logs from files such as access.log.YY-DD-MM?

w_raza
Explorer

Hi,

I've deployed splunklight-7.2.1 and I am using universal log forwarder to forward logs from a Linux server to my Splunk server.

I'm stuck in condition where I have to get logs from a particular file which gets created a new file daily to store the logs. For example, today's logs will be stored in ../acess_log.2018-12-31 and tomorrow's logs will be stored as ../access_log.2019-01-01 and so on. Can any one please guide my what should I configure in my inputs.conf file to get these logs?

Thanks in advance

0 Karma
1 Solution

vliggio
Communicator

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

View solution in original post

vliggio
Communicator

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

richgalloway
SplunkTrust
SplunkTrust

Valid points. My answer was based on the OP's info, but explicit file paths are best.

---
If this reply helps you, Karma would be appreciated.
0 Karma

w_raza
Explorer

Hi vliggio,

Thanks for your response and explaining in detail, that helped.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what else you don't want to monitor is in the same directory, but start with [monitor://../access_log.*].

---
If this reply helps you, Karma would be appreciated.

w_raza
Explorer

Hi Rich,

Thanks for your quick response, that really helped and it worked.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...