Is there any way to set up profiles for commonly forwarded logs? I see:
http://docs.splunk.com/Documentation/WAS/latest/User/logdata
details logs. Is there any way I can set up a profile from the indexer to grab all the SystemErr.log, SystemOut.logs from app servers?
BTW, I'm running Splunk 5.0.2 on Red Hat 6.3. I have 2 indexers that are replicating, two search heads, and one master. Perhaps 80 devices are forwarding to the indexers.
Thanks for the answer. What I wound up doing was adding lines to my expect script like so:
expect "]#" { send "find /opt/IBM -name 'SystemErr.log' > $tempfile\r" }
expect "]#" { send "find /opt/IBM -name 'SystemOut.log' >> $tempfile\r" }
expect "]#" { send "find /opt/IBM -name 'trace.log' >> $tempfile\r" }
expect "]#" { send "sed -i 's/^/\[monitor\:\\/\\//' $tempfile\r" }
expect "]#" { send "sed -i 's/$/\]/' $tempfile\r" }
expect "]#" { send "cat $tempfile >> $inputfile\r" }
expect "]#" { send "/opt/splunkforwarder/bin/splunk restart\r" }
expect "]#" { send "ps -ef | grep splunk\r" }
where $inputfile is /opt/splunkforwarder/etc/system/local/inputs.conf
This produces output like this in the inputs.conf file:
[monitor:///var/log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.Messaging.ddcwesbn2-WESBIlabNode02.0/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/nodeagent/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.WebApp.ddcwesbn2-WESBIlabNode02.0/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/WESBIlabNode02_proxy/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.AppTarget.ddcwesbn2-WESBIlabNode02.0/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.Support.ddcwesbn2-WESBIlabNode02.0/SystemErr.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.Messaging.ddcwesbn2-WESBIlabNode02.0/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/nodeagent/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.WebApp.ddcwesbn2-WESBIlabNode02.0/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/WESBIlabNode02_proxy/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.AppTarget.ddcwesbn2-WESBIlabNode02.0/SystemOut.log]
[monitor:///opt/IBM/WebSphere/WesbServer/profiles/WESBIlabNode02/logs/BUSILABDE.Support.ddcwesbn2-WESBIlabNode02.0/SystemOut.log]
You might want to set the monitor to /opt/*.log or a similar expression matching all your log files, and then whitelisting (or blacklisting) your way towards the correct set of files.
Follow up question. Let's say I want to monitor three files, /opt/a.log, /opt/b.log, /opt/c.log
What would the [monitor://xxxx] statement in inputs.conf look like? Could I do this:
[monitor:///opt/a.log,/opt/b.log,/opt/c.log]
or does it have to be
[monitor:///opt/a.log]
[moniotr:///opt/b.log]
[monitor:///opt/c.log]
Thanks.