Are Wildcards supported for use with UNC Paths?

Question

I am trying to index a UNC Path, but am unable to use wildcards..

Here's what I"m trying to match

\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG

I don't want to match this

\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG

The manual indicates I could use *, but am having no luck.. Have tried this..

\\IISLOGS\MYSERVER*
\\IISLOGS\MYSERVER*\

NO indexing at all occurs if I do this..

Answer 1

1

Have you considered just eating \IISLOGS and using _blacklist = YOURSERVER

http://www.splunk.com/base/Documentation/latest/Data/Whitelistorblacklistspecificincomingdata

link

answered 05 May '11, 13:54

Michael Wilde ♦
695●5●20
accept rate: 57%

Awesome.. I could not get it to work using wildcards in the path, but using a WHITELIST, it worked perfectly...

.*MYSERVER.*

Thanks for the help!

(05 May '11, 16:37) rnavis

Update: Did NOT work as expected... When creating a SECOND input for the same path for the second set of servers, I got a message indicating that I could not create an input with the same name..

This seems like pretty basic functionality.. Essentially, I want to create multiple indexes with files with a common path..

(05 May '11, 18:25) rnavis

Splunk only lets you monitor a directory once. What is your scheme for determining what data goes in which index?

(05 May '11, 18:36) Michael Wilde ♦

Answer 2

We should be able to use your existing singular whitelist to eat the directory, but exclude everything other than your server, as you have done.

Then.. create two files in the same dir called "props.conf" & "transforms.conf" (assuming you're in the $SPLUNK_HOME/etc/apps/search/local directory in props.conf, we can choose how events get selected and are processed by "transforms.conf". Transforms.conf will make our "index-switching" happen on the fly. Just tested it locally, seems to work just fine.

PROPS.CONF

[source::...Order...]
TRANSFORMS-moveorders = toIndex1

[source::...Product...]
TRANSFORMS-moveproducts = toIndex2

[source::...Customer...]
TRANSFORMS-movecustomers = toIndex3

TRANSFORMS.CONF

[toIndex1]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index1

[toIndex2]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index2

[toIndex3]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = Index3

Answer 3

0

Your examples seem a bit odd to me, but to match your .LOG files in your example you would use

\\IISLOGS\MYSERVER01\W3SVC01\*.LOG

[EDIT] You could use the wildcard as such:

\\IISLOGS\MYSERVER*\W3SVC01\*.LOG

link

answered 05 May '11, 12:51

ftk ♦
6.8k●1●7●28
accept rate: 38%

edited 05 May '11, 13:38

Answer 4

0

Sorry... need to clarify my example. Was hoping not to have a seperate entry for each server.. Need to match the following..

\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER02\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER03\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER04\W3SVC01\EX10.LOG
\\IISLOGS\MYSERVER05\W3SVC01\EX10.LOG

Don't want to match..

\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG

link

answered 05 May '11, 13:04

rnavis
410●3●10
accept rate: 25%

edited 05 May '11, 13:37

ftk ♦
6.8k●1●7●28

I updated my answer, basically just use more wildcards.

(05 May '11, 13:39) ftk ♦

Answer 5

Finally able to get this to work. Ended up deleting all the configuration on my server and recreating it, so potentially their was something conflicting? Anyway, just wanted to close the loop on this, showing that you can wildcard in your inputs.conf file without using transforms... Here's three examples of syntax I used for the monitor headers that WORKED.

[monitor://\ServerLogsprodprod-iislogsHS1WS*...]

[monitor://\ServerLogsprodprod-iislogsHS2WS*...]

[monitor://\ServerLogsprodprod-iislogsSI1WS*...]

Are Wildcards supported for use with UNC Paths?

PROPS.CONF

TRANSFORMS.CONF

Follow this question

Splunk Resources

Related questions