Hi,
I have the following folder structure:
C:\temp\logs\ComponentName1\InstanceName1\log.txt
C:\temp\logs\ComponentName2\InstanceName3\FolderToExclude
There are various ComponentName folders and 3 InstanceName folders under each component.
I'd like:
For #1 I tired to add in "C:\Program Files\Splunk\etc\system\local\inputs.conf"
the following line:
[monitor://c:\temp\logs\.\(InstanceName1|InstanceName2|InstanceName3)\..txt]
sourcetype = MySourceType
I restarted splunkd and splunkweb but it didn't help.
When I create a new file under C:\temp\logs\ComponentName2\InstanceName3\FolderToExclude it is still monitored.
For #2 I think I should add a stanza [MySourceType] contains
EXTRACT-extract_ComponentName = ?????
EXTRACT-extract_InstanceName = ?????
but I am not sure how to do this.
Could you please help?
Thanks!
Please mark answer if it gave you the solution, may help others as well
Thanks, I got what I want!
Please follow the monitor stanza in the below documentation.
http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Inputsconf
Monitor the parent directory with "recursive = true"
and define whitelist=(.)*.txt to see if only the .txt files are monitored. Thanks