- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- monitor a directory with yesterday date (and avoid...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi everybody
i have to monitor a server with some directories ordered by date. I have to index automatically every day the folder with yesterday date and I absolutely have to avoid monitoring the folders with today date: in those directories, the server instead append rows to files, again and again erases and rewrites the files, updating them, and forcing Splunk to re-indexing all events. I would tell Splunk to follow a command like this [monitor:///home/folder1/folder2/folder3//.../LOG.txt] but... i don't know how insert a date-variable in "monitor". How I can have a variable in monitor path (or how I can use a workaround to obtain my goal..)?
here a sample of my the directories
///home/folder1/folder2/folder3/2014-12-10/<some other directories and files>/LOG.txt
///home/folder1/folder2/folder3/2014-12-09/<some other directories and files>/LOG.txt
///home/folder1/folder2/folder3/2014-12-08/<some other directories and files>/LOG.txt
///home/folder1/folder2/folder3/2014-12-07/<some other directories and files>/LOG.txt
thanks in advance for help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my opinion, the best option is solve in linux (or the *NIX that you use):
1.) Create a script like this:
#!/bin/sh
rm -f /home/folder1/folder2/folder3/YESTERDAY
YESTERDAY=`date --date='yesterday' +%Y-%m-%d`
ln -s /home/folder1/folder2/folder3/$YESTERDAY /home/folder1/folder2/folder3/YESTERDAY
2.) Create an input to the YESTERDAY symbolic link:
[monitor:///home/folder1/folder2/folder3/YESTERDAY]
disabled = false
followTail = 0
sourcetype = any_sourcetype
3.) Create a cron job that execute the script at 00:01 every day.
1 0 * * * /path/to/script.sh
4.) Restart splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks a lot !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my opinion, the best option is solve in linux (or the *NIX that you use):
1.) Create a script like this:
#!/bin/sh
rm -f /home/folder1/folder2/folder3/YESTERDAY
YESTERDAY=`date --date='yesterday' +%Y-%m-%d`
ln -s /home/folder1/folder2/folder3/$YESTERDAY /home/folder1/folder2/folder3/YESTERDAY
2.) Create an input to the YESTERDAY symbolic link:
[monitor:///home/folder1/folder2/folder3/YESTERDAY]
disabled = false
followTail = 0
sourcetype = any_sourcetype
3.) Create a cron job that execute the script at 00:01 every day.
1 0 * * * /path/to/script.sh
4.) Restart splunk
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
