Hi,
I've deployed splunklight-7.2.1 and I am using universal log forwarder to forward logs from a Linux server to my Splunk server.
I'm stuck in condition where I have to get logs from a particular file which gets created a new file daily to store the logs. For example, today's logs will be stored in ../acess_log.2018-12-31 and tomorrow's logs will be stored as ../access_log.2019-01-01 and so on. Can any one please guide my what should I configure in my inputs.conf file to get these logs?
Thanks in advance
That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor
just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)
You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]
), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]
. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.
That won't work quite right, Rich. The wildcard is three dots, and using ../ would probably try to find log files up one level from the Splunk root or possibly from the root level (and only at that level). (Checking bin/splunk list monitor
just shows that splunk is literally interpreting the ../ but not showing the actual root it's using)
You're always better off with an explicit path as the start (ie, [monitor:///var/log/access_log.*]
), or if it's truly a wildcard recursive search, then it would be [monitor:///var/log/.../access_log.*]
. Recursion though from the root wouldn't be a very good idea because then Splunk will have to traverse the whole file system looking for access_log files.
Valid points. My answer was based on the OP's info, but explicit file paths are best.
Hi vliggio,
Thanks for your response and explaining in detail, that helped.
It depends on what else you don't want to monitor is in the same directory, but start with [monitor://../access_log.*]
.
Hi Rich,
Thanks for your quick response, that really helped and it worked.