The '*' in the final segment is completely superfluous other than to tell Splunk to honor the PCRE. Would work to trigger Splunk to recognize both its own wildcard and then a PCRE in the final segment, but that never seemed to work, but ĭoes. (Why can't Splunk just use regular expressions in the monitor line now?) I had a problem with constructing a monitor line that would properly match files in any presell* directory - problems I don't think I should have had but I finally landed on the following which seems to work. This was still quite a pain to resolve even with the blacklist but it did help a lot. So I want to know method of reindex prevention caused by changing initCrcLength, when I monitoring frequently updated files. But 'ignoreOlderThan' option sees the update time of the file, so it will not be effective for files that are frequently updated. I'm embarrassed to admit that I hadn't considered blacklists to solve this. The workaround for preventing reindex caused by changing initCrcLength is 'ignoreOlderThan'. As expected, the different versions work the same. I had been using a 6.4.3 universal forwarder here (sending to 6.5.0 forwarders and indexers) and then moved to 6.5.0 universal forwarders. Normally if I stare at stuff like this long enough I see something obvious that I'm doing wrong, but so far I've been unable to figure out why this isn't working the way I'd expect. That is, if I could truly match on "presell*". That is, either īoth of which are undesirable because it means I still have to enumerate all applications that start with "presell", meaning that if a new one cropped up tomorrow, it would not be handled the way I want. The only things I've found that work are to explicitly list the directories and/or files. I know I can't say īecause the implicit whitelist from the monitor: line conflicts with the explicit whitelist (and it doesn't work anyway). Still sends these events to the 'apache' index. Would give me mostly what I want (I don't really want to capture anything that might crop up there with a. The recommended approach to solve this issue is to create one stanza in nf to read in both sets of files and also deploy a nf within the same add-on on the Forwarder to specify the sourcetype based on the source. That extra '*' in front of the grouping expression is in accordance with the new rules that say that it would be recognized as an RE since there is a wildcard in the same segment. Events are still captured but go to the default index (i.e. I believe it used to be that monitor: lines nf only understood their special wildcards and no regular expression stuff but now it seems like there are some rules that allow some RE's to be understood if it's mixed with wildcards in the same segment (weird!). As a normal regular expression this would look like "^/var/weblogs/presell.*/(access|error).log$". What I need to do is tell Splunk to make an exception for applications that start with "presell". There are multiple directories for different applications (Apache virtual hosts) under /var/weblogs like /var/weblogs/foo/access.log and so on. In this case, we have a catch-all rule on our apache servers' nf at the bottom that looks like I'm struggling with an issue involving my old nemesis, nf rules :-).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |