How to edit my monitor stanza in inputs.conf on th...

avis1119 · ‎11-09-2016

Hi All,

I have a Splunk environment with deployment server and forwarders of nearly 200. In one of the deployment apps folders, I have updated the inputs.conf file with the below stanza

[monitor=///opt/.../actimize-logs/CCTM_RETAIL_(NFT|NFOT)_B[13579]/logs/access_logs/]
whitelist=((notify|score)(Customer|PaymentArrangement|Product|Rejection|IntPayment|PassReset|TravelMoney)\.(access.log))$

After deploying the serverclass, I am not able to receive the logs. I have checked the forwarder, but everything is fine and is sending other logs. So I doubt at the inputs stanza only. So can anyone help in identifying the mistake I have done in the regex?

Thanks in advance

willamwar · ‎11-14-2016

First off I would encourage you to run your regex through regex101

https://regex101.com/r/koEOps/1

Next can you please provide a sample of the file names. You can also 'save' these in the regex101 as well as here.

Did you verify file permissions and did you look in /var/log/splunk on a forwarder where the data is?

Are you using a regex in the monitor as well? "(NFT|NFOT)"? If you read when and when Regex works (https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Specifyinputpathswithwildcards ).
You may need to add a * after your regex.
e.g.

(NFT|NFOT)*

Lastly you did not escape your last . (via .) which should not matter here, but it's good practice.

How to edit my monitor stanza in inputs.conf on the deployment server to collect logs from our forwarders?

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!