We recommend you watch the accompanying YouTube video “Monitor-Stanzas mit regulären Ausdrücken – Splunk in 5 Minuten” for visual examples and a more detailed explanation.
Introduction to Monitor stanzas
In this blog post, we will show you how to use regular expressions in Monitor stanzas to monitor files or directories. We will demonstrate with different examples how you can define complex inputs and use them for your purposes. This way you can monitor exactly the information that is important to you.
In the following example we will show you how to read files using the “inputs.conf”:
[monitor:///var/log/secure.log]
sourcetype = linux_secure
host = myhost
index = linux_secure
The stanza itself contains the absolute path to the file or directory we want to mo All other parameters (sourcetype, host, index, etc.) are optional.
If these are not specified, default values are used for them:
- Default host as in etc/system/local/inputs.conf
- Default source is the full filename (if only the path is specified, the full path together with the filename will be used as source)
- Default sourcetype is “automatic
Use of wildcards in monitor stanzas
The monitor stanzas in inputs.conf support two different placeholders:
Three dots (…): Using the three dots in the monitor stanza allows to search all subdirectories recursively for hits. Three dots (…): Using the three dots in the monitor stanza allows to search all subdirectories recursively for hits.
Asterisk (*): The asterisk marks either a single path segment (non-recursive) or parts of strings in the path segment or filename.
Wildcard examples
In the following figure you can see an example of wildcards:
Monitoring of files in the www1 directory whose name starts with secure, with any extension
[monitor:///var/log/www1/secure.*]
sourcetype= linux_secure
This hits the following files:
/var/log/www1/secure.log
/var/log/www1/secure.l
But not this files
/var/log/www1/logs/secure.log
In the following figure you can find an example with a recursive wildcard:
Monitoring of multiple directories with the recursive wildcard:
[monitor:///var/log/.../secure.*]
sourcetype= linux_secure
This hits the following files
/var/log/www1/secure.log
/var/log/www1/secure.l
/var/log/www1/logs/secure.log
Regular expressions in monitor stanzas
It is also possible to use wildcards together with regular disengages in the stanza.
So, for example, we can define a monitoring stanza here:
[monitor://var/.../log[A-Z0-9]*.log]
sourcetype= linux_secure
The square brackets [A-Z0-9] define the characters that are allowed, namely A to Z and 0 to 9. The following asterisk (*) indicates that this combination of characters can occur any number of times. The interpretation of the asterisk is different here because it and the previous expression are already preceded by a wildcard.
As an example you can see here files to which this applies and files to which this does not apply:
Meets the files:
/var/splunk/logA.log]
/var/home/splunk/log0934213.log]
/varr/home/log0934213.log]
But not these files:
/var/splunk/log_abc.log]
/var/wer235.log]
var/splunk/logA.log1]
Conclusion
By using monitor stanzas with regular expressions, you can define more complex inputs.
We recommend you watch the accompanying YouTube video “Monitor-Stanzas mit regulären Ausdrücken – Splunk in 5 Minuten” for visual examples and a more detailed explanation.