Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. In this video, we're gonna be doing some configuration of Splunk inputs for monitor stanzas, which will basically just be monitoring the disk for
00:17
actual log files to read off of disk.
00:21
Um, so
00:23
we'll go through how to set one of those up. Ah, a couple different wildcard options you have for specifying that. And then also talk about some of the key attributes you might use. Teoh, enhance your configuration.
00:37
So before we get started, I've created some logs here. So if you
00:43
see we're in upto logs that create this directory, I've given it to Splunk. So that will be able to read all the logs. And I've created a couple subdirectories. So I have Miss Apache
00:55
with a couple sample logs. And then I also have
00:59
this Linux with a subdirectory
01:03
and a sample log as well. So we're gonna ingest all of this and we're just going to leverage a couple different inputs. Stands is to do that so that we can kind of demonstrate
01:17
some different ways to do this so we might need toe back reference this So I'm going to take
01:23
a snippet of it so that if we forget or directory name,
01:27
we can reference that. I'll just put that there.
01:30
So I've already created an app, toe house, thes configurations. So it's just a matter of making the actual input.
01:38
Um, I called it,
01:41
uh, Apache
01:44
inputs. It was
01:47
I was originally only going to do the one data source, but I decided to include another so that we could see some wild heart stuff. So the APP name isn't good, but we're just going ignore it because this is really just for the purpose of a test anyways, so it's not super important.
02:07
So a monitor stands. Is what you used to tell Splunk that your input is a file on disk on, and then you basically can specify the full path, so we'll show you the case of the limits log. So we go to opt
02:24
logs, Lennox access sample dot text. And so this would explicitly monitor just that one file.
02:36
We could also do just this tomorrow, everything in the directory on. Then we can also leverage
02:44
a naming convention like
02:46
this,
02:47
saying that we want anything that's a dot text file or dot log or whatever the extension might be.
02:53
There's also a cool trick where you can use either a store as a directory name
03:01
and it'll wildcard whatever that value is it
03:06
Look within the directory to find anything that meets the further criteria. Or you could do three dots and it'll just recursive Lee match total Check Opta logs. We'll check every subdirectory and each of its subdirectories recursive lee toe. Find something that's star dot text,
03:23
so we'll use this for monitoring purposes. We're gonna send us up to the main index, and we're going to set the source Type two
03:34
Test one just for this purpose.
03:38
And then we'll set up another one and this one I will show you that we can watch multiple
03:45
files with a single stands. Us. So we'll do this and we'll just say, Watch Apache
03:51
and we'll just leave it at that and no monitor
03:53
everything within that directory.
03:57
Now we're only specifying this information, but if you wanted to, you could specify a wait list or blacklist as well. So, for example, if I only wanted to see this file this access log, I could say
04:15
wait, list this
04:18
Onley capture this match
04:23
within this directory,
04:25
or conversely, I could say
04:29
black lists and exclude that file. So if there's like some subset of these files, maybe there's one like it may. There's a read me file in here or something, and you don't want to monitor that. But you want to monitor everything else. This is one way you could do that.
04:46
Also, another thing to note is, technically, if I'd open these to log files, you would have seen that they are different
04:53
log formats, and they would have a different source type.
04:57
So you could either not set the source type here and said it independently on the props and transforms.
05:03
Or you could create one input, stands up her log
05:10
and set the source type statically, so either way would work. It's just a matter of preference, And if you have a ton of logs and you need to do this, then it becomes kind of like a efficiency thing. It might be easier to just make one monitor stanza and then use some cool reg exe to
05:28
make it work
05:30
in props and transforms. We're not gonna jump into that right now, though,
05:34
so split has already stopped. If I just stand us, you can see that. So we're just going to start it.
05:42
Then we'll go over here tow law again
05:46
and take a look at how those pin puts worked.
05:51
These ones are one of the more simple one. So if I search all time,
05:58
you can see
06:03
that we now have,
06:05
um we need test. One was our one source type. I had already done this
06:14
previously, and so this test is an old
06:20
Yeah, this is an old example, but
06:25
what did I make the other one?
06:28
Test one and test too, So
06:31
Okay, cool. So you can see we got both of the log files using are just directory monitor
06:40
in this one on. You can see over here using the wildcard the dot dot dot did work. And it still managed to find this file. So that's a cool demonstration. Just showing you a couple of the options available for input monitors. And,
06:56
you know, the wild cards. Wait. List black list.
07:00
Using naming conventions, etcetera. So these air really the simplest type of input, So we're not gonna dive anymore into this? It's pretty simple. There are some complexities in terms off fixing the data. For example, in another lab where we talk about the fish book, it will probably be using this data to show you
07:18
how when the settings are applied properly and you need to re ingest
07:24
how the fish bucket can kind of get in the way of that.
07:27
And how does how to get around that. But we'll be talking about that in another lab. So this covers all the basics about inputs dot com configurations for file monitors.
07:39
If you want Teoh, explore more options and see what else you can do with it. You can read through in the admin manual inputs dot com spec file,
07:47
and you'll be able to find any other possible configuration. But this covers the big ones that you'll have to use most often, so that wraps up this lab and we'll see you in the next one.

Up Next

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor