Splunk Enterprise

How do you collect Linux logs from files such as access.log.YY-DD-MM?

w_raza
Explorer

Hi,

I've deployed splunklight-7.2.1 and I am using universal log forwarder to forward logs from a Linux server to my Splunk server.

I'm stuck in condition where I have to get logs from a particular file which gets created a new file daily to store the logs. For example, today's logs will be stored in ../acess_log.2018-12-31 and tomorrow's logs will be stored as ../access_log.2019-01-01 and so on. Can any one please guide my what should I configure in my inputs.conf file to get these logs?

Thanks in advance

0 Karma
1 Solution

vliggio
Communicator

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

View solution in original post

vliggio
Communicator

That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)

You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.

richgalloway
SplunkTrust
SplunkTrust

Valid points. My answer was based on the OP's info, but explicit file paths are best.

---
If this reply helps you, Karma would be appreciated.
0 Karma

w_raza
Explorer

Hi vliggio,

Thanks for your response and explaining in detail, that helped.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what else you don't want to monitor is in the same directory, but start with [monitor://../access_log.*].

---
If this reply helps you, Karma would be appreciated.

w_raza
Explorer

Hi Rich,

Thanks for your quick response, that really helped and it worked.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...