Solved: How can we monitor all log files in current direct...

ddrillic · ‎12-14-2016

We wonder whether [monitor:///<source>/logs/*.log] would monitor all log files in the <source>/logs directory and also in sub-directories under <source>/logs, such as <source>/logs/2016121404.

We wonder whether [monitor:///<source>/logs/.../*.log] would get the data from both areas...

lguinn2 · ‎12-14-2016

If you want to monitor all logs in the /source/logs directory, you can simply do this

[monitor:///source/logs/]
whitelist=\.log$

I think that is the cleanest and easiest to understand. But this should do the same thing

[monitor:///source/logs/.../*.log]

In either case, Splunk will walk the entire directory tree, starting from /source/logs, and index any file it finds where the file path ends in ".log"

View solution in original post

lguinn2 · ‎12-14-2016

If you want to monitor all logs in the /source/logs directory, you can simply do this

[monitor:///source/logs/]
whitelist=\.log$

I think that is the cleanest and easiest to understand. But this should do the same thing

[monitor:///source/logs/.../*.log]

In either case, Splunk will walk the entire directory tree, starting from /source/logs, and index any file it finds where the file path ends in ".log"

ddrillic · ‎12-14-2016

Gorgeous!!

How can we monitor all log files in current directory and sub-directories?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases