Databases Reference
In-Depth Information
To set
host
to
webserver1
, you could use either:
[monitor:///nfs/logs/*/access.log*]
sourcetype=access
host_segment=3
Or:
[monitor:///nfs/logs/*/access.log*]
sourcetype=access
host_regex=/(.*?)/access\.log
host_regex
could also be used to extract the value of
host
from the filename.
It is also possible to reset
host
using a transform, with the caveat that this will occur
after parsing, which means any settings in
props.conf
that rely on matching
host
will already have been applied.
Ignoring old data at installation
It is often the case that when Splunk is installed, months or years of logs are sitting
in a directory where logs are currently being written. Logs that are appended to
infrequently may also have months or years of events that are no longer interesting
and would be wasteful to index.
The best solution is to set up archive scripts to compress any logs older than a few
days, but in a large environment, this may be difficult to do. Splunk has two settings
that help ignore older data, but be forewarned: once these files have been ignored,
there is no simple way to change your mind later. If, instead, you compress older
logs and blacklist the compressed files as explained in the
Using blacklist and whitelist
section, you can simply decompress at a later stage, any files you would like to
index. Let's look at a sample stanza:
[monitor:///opt/B/logs/access.log*]
sourcetype = access
ignoreOlderThan = 14d
In this case,
ignoreOlderThan
says to ignore, forever, all events in any files whose
modification date is older than 14 days. If the file is updated in the future, any
new
events will be indexed.
The
followTail
attribute lets us ignore all events written so far, instead starting at
the end of each file. Let's look at an example:
[monitor:///opt/B/logs/access.log*]
sourcetype = access
followTail = 1
Search WWH ::
Custom Search