Monitor stanzas with regular expressions

Monitor stanzas with regular expressions

July 24, 2023

We recommend you watch the accompanying YouTube video “Monitor-Stanzas mit regulären Ausdrücken – Splunk in 5 Minuten” for visual examples and a more detailed explanation.

Introduction to Monitor stanzas

In this blog post, we will show you how to use regular expressions in Monitor stanzas to monitor files or directories. We will demonstrate with different examples how you can define complex inputs and use them for your purposes. This way you can monitor exactly the information that is important to you.

In the following example we will show you how to read files using the “inputs.conf”:

[monitor:///var/log/secure.log]
sourcetype = linux_secure
host = myhost
index = linux_secure

The stanza itself contains the absolute path to the file or directory we want to mo All other parameters (sourcetype, host, index, etc.) are optional.

If these are not specified, default values are used for them:

  • Default host as in etc/system/local/inputs.conf
  • Default source is the full filename (if only the path is specified, the full path together with the filename will be used as source)
  • Default sourcetype is “automatic

Use of wildcards in monitor stanzas

The monitor stanzas in inputs.conf support two different placeholders:

Three dots (…): Using the three dots in the monitor stanza allows to search all subdirectories recursively for hits. Three dots (…): Using the three dots in the monitor stanza allows to search all subdirectories recursively for hits.

Asterisk (*): The asterisk marks either a single path segment (non-recursive) or parts of strings in the path segment or filename.

Wildcard examples

In the following figure you can see an example of wildcards:

Monitoring of files in the www1 directory whose name starts with secure, with any extension

[monitor:///var/log/www1/secure.*]
sourcetype= linux_secure

This hits the following files:
/var/log/www1/secure.log
/var/log/www1/secure.l

But not this files
/var/log/www1/logs/secure.log

In the following figure you can find an example with a recursive wildcard:

Monitoring of multiple directories with the recursive wildcard:
[monitor:///var/log/.../secure.*]
sourcetype= linux_secure

This hits the following files
/var/log/www1/secure.log
/var/log/www1/secure.l
/var/log/www1/logs/secure.log

Regular expressions in monitor stanzas

It is also possible to use wildcards together with regular disengages in the stanza.

So, for example, we can define a monitoring stanza here:

[monitor://var/.../log[A-Z0-9]*.log]
sourcetype= linux_secure

The square brackets [A-Z0-9] define the characters that are allowed, namely A to Z and 0 to 9. The following asterisk (*) indicates that this combination of characters can occur any number of times. The interpretation of the asterisk is different here because it and the previous expression are already preceded by a wildcard.

As an example you can see here files to which this applies and files to which this does not apply:

Meets the files:
/var/splunk/logA.log]
/var/home/splunk/log0934213.log]
/varr/home/log0934213.log]

But not these files:
/var/splunk/log_abc.log]
/var/wer235.log]
var/splunk/logA.log1]

Conclusion

By using monitor stanzas with regular expressions, you can define more complex inputs.

We recommend you watch the accompanying YouTube video “Monitor-Stanzas mit regulären Ausdrücken – Splunk in 5 Minuten” for visual examples and a more detailed explanation.

Leave A Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.