Need help for monitoring files

hrca33 · ‎09-27-2016

I am monitoring couple of files by specifying same source type.

Inputs.conf:-

[monitor://D:**\Installations*\Logs*\XYZ]
sourcetype = abc
index = ******
disabled = false
ignoreOlderThan = 2d

[monitor://D:**\Installations*\Logs*\fgh]
sourcetype = abc
index = ******
disabled = false
ignoreOlderThan = 2d

Now, I need to monitor the same path not individually mentioning the file names by using wildcards. Here I am using different source type.

[monitor://D:**\Installations*\Logs**.log]
sourcetype = xyz
index = ******
disabled = false
ignoreOlderThan = 2d

Is this works??

need help

Thanks

gcusello · ‎09-28-2016

Hi hrca33,
if your "XYZ" and "fhg" files have both ".log" extension, you could use
[monitor://D:\Installations\Logs**.log]

if they have different names and in the Log* directories there aren't other files with .log extension, you can use
[monitor://D:\Installations\Logs*]

if they have different names and in the directories there are other files easily identified (e.g.: .php), you can use
[monitor://D:\Installations\Logs*]
blacklist = *.php

Bye.
Giuseppe

ddrillic · ‎09-27-2016

What about the index name? I see index = **. What's the intention?

hrca33 · ‎09-27-2016

Am using the same index.

ddrillic · ‎09-27-2016

Got it - does it work?

Need help for monitoring files

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases