Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitoring Logfiles with random number as part of the name

rvbalaji
Explorer
‎10-22-2010 11:15 PM

Our logfiles are named in the format Log.Activity.prod.###.txt where ### is random number. Also we want to leave out previous days log which would be in the format Log.Activity.prod.###.yyyy-mm-dd.txt (using the blacklist -).

We have setup splunk light forwarders and following is what we have on our Inputs.conf file:

[monitor://d:\LogFiles\prod\Log.Activity.prod.*]
blacklist = -
disabled = false
sourcetype = Prod

[monitor://d:\LogFiles\beta\Log.Activity.beta.*]
blacklist = -
disabled = false
sourcetype = Beta

[monitor://d:\LogFiles\alpha\Log.Activity.alpha.*]
blacklist = -
disabled = false
sourcetype = Alpha

But for some reason splunk does not identify the file that is being logged to.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rvbalaji
Explorer
‎11-04-2010 08:28 PM

There weren't any issues with my Inputs.conf, but after changing the license on splunk to use the forwarder license, the access to Inputs.conf file was removed for the profile splunk was running under. Resetting the permission on the splunk folder resolved the issue. Thanks.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rvbalaji
Explorer
‎11-04-2010 08:28 PM

There weren't any issues with my Inputs.conf, but after changing the license on splunk to use the forwarder license, the access to Inputs.conf file was removed for the profile splunk was running under. Resetting the permission on the splunk folder resolved the issue. Thanks.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎10-23-2010 12:48 AM

You might have more success with something like this:

[monitor://d:\LogFiles\prod]
whitelist = Log.Activity.[a-zA-Z]+.[0-9]+.txt
disabled = false 
sourcetype = Prod
recursive = false

The whitelist avoids everything but your "current" logfile. (I'm not sure how wildcards in the monitor stanza and whitelist/blacklist interact -- something in the back of my mind says they don't get along, as Splunk internally might be using whitelist/blacklist to implement your wildcards.)

Strictly speaking, you aren't required to not monitor the 'older' files. As long as the first 256 bytes are the same, Splunk should recognize it as a rotated file and not re-index it even if the name changes.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎11-01-2010 07:35 PM

If you are having parsingQueue full type problems, some of these related answers may help:

http://answers.splunk.com/questions/7582/tailingprocessor-could-not-send-data-to-output-queue-parsin...

http://answers.splunk.com/questions/7121/splunk-stopped-following-files

0 Karma
Reply
Solved! Jump to solution

rvbalaji
Explorer
‎10-27-2010 06:03 PM

I have not had luck with the above. But I do see the following error on the splunkd.log
10-27-2010 12:53:49.895 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
10-27-2010 12:53:49.895 INFO TailingProcessor - ...continuing.

I even tried adding "crcsalt = " with no luck.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎10-25-2010 03:58 PM

Note - I only updated one of your inputs.conf stanzas - you should be able to make up the other two based upon it.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎10-25-2010 03:57 PM

You can turn on sourcetype auto classification - see http://www.splunk.com/base/Documentation/latest/Admin/Aboutdefaultfields . But, if you are going to manually specify the sourcetype in an inputs.conf stanza, it can only take on one value per stanza.

0 Karma
Reply
Solved! Jump to solution

rvbalaji
Explorer
‎10-25-2010 02:40 PM

Let me try this, but are multiple sourcetype allowed to be defined in the same inputs.conf?

0 Karma
Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...