6 hours 3 minutes
Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. In this video, we're gonna be doing some configuration of Splunk inputs for monitor stanzas, which will basically just be monitoring the disk for
actual log files to read off of disk.
we'll go through how to set one of those up. Ah, a couple different wildcard options you have for specifying that. And then also talk about some of the key attributes you might use. Teoh, enhance your configuration.
So before we get started, I've created some logs here. So if you
see we're in upto logs that create this directory, I've given it to Splunk. So that will be able to read all the logs. And I've created a couple subdirectories. So I have Miss Apache
with a couple sample logs. And then I also have
this Linux with a subdirectory
and a sample log as well. So we're gonna ingest all of this and we're just going to leverage a couple different inputs. Stands is to do that so that we can kind of demonstrate
some different ways to do this so we might need toe back reference this So I'm going to take
a snippet of it so that if we forget or directory name,
we can reference that. I'll just put that there.
So I've already created an app, toe house, thes configurations. So it's just a matter of making the actual input.
Um, I called it,
inputs. It was
I was originally only going to do the one data source, but I decided to include another so that we could see some wild heart stuff. So the APP name isn't good, but we're just going ignore it because this is really just for the purpose of a test anyways, so it's not super important.
So a monitor stands. Is what you used to tell Splunk that your input is a file on disk on, and then you basically can specify the full path, so we'll show you the case of the limits log. So we go to opt
logs, Lennox access sample dot text. And so this would explicitly monitor just that one file.
We could also do just this tomorrow, everything in the directory on. Then we can also leverage
a naming convention like
saying that we want anything that's a dot text file or dot log or whatever the extension might be.
There's also a cool trick where you can use either a store as a directory name
and it'll wildcard whatever that value is it
Look within the directory to find anything that meets the further criteria. Or you could do three dots and it'll just recursive Lee match total Check Opta logs. We'll check every subdirectory and each of its subdirectories recursive lee toe. Find something that's star dot text,
so we'll use this for monitoring purposes. We're gonna send us up to the main index, and we're going to set the source Type two
Test one just for this purpose.
And then we'll set up another one and this one I will show you that we can watch multiple
files with a single stands. Us. So we'll do this and we'll just say, Watch Apache
and we'll just leave it at that and no monitor
everything within that directory.
Now we're only specifying this information, but if you wanted to, you could specify a wait list or blacklist as well. So, for example, if I only wanted to see this file this access log, I could say
wait, list this
Onley capture this match
within this directory,
or conversely, I could say
black lists and exclude that file. So if there's like some subset of these files, maybe there's one like it may. There's a read me file in here or something, and you don't want to monitor that. But you want to monitor everything else. This is one way you could do that.
Also, another thing to note is, technically, if I'd open these to log files, you would have seen that they are different
log formats, and they would have a different source type.
So you could either not set the source type here and said it independently on the props and transforms.
Or you could create one input, stands up her log
and set the source type statically, so either way would work. It's just a matter of preference, And if you have a ton of logs and you need to do this, then it becomes kind of like a efficiency thing. It might be easier to just make one monitor stanza and then use some cool reg exe to
make it work
in props and transforms. We're not gonna jump into that right now, though,
so split has already stopped. If I just stand us, you can see that. So we're just going to start it.
Then we'll go over here tow law again
and take a look at how those pin puts worked.
These ones are one of the more simple one. So if I search all time,
you can see
that we now have,
um we need test. One was our one source type. I had already done this
previously, and so this test is an old
Yeah, this is an old example, but
what did I make the other one?
Test one and test too, So
Okay, cool. So you can see we got both of the log files using are just directory monitor
in this one on. You can see over here using the wildcard the dot dot dot did work. And it still managed to find this file. So that's a cool demonstration. Just showing you a couple of the options available for input monitors. And,
you know, the wild cards. Wait. List black list.
Using naming conventions, etcetera. So these air really the simplest type of input, So we're not gonna dive anymore into this? It's pretty simple. There are some complexities in terms off fixing the data. For example, in another lab where we talk about the fish book, it will probably be using this data to show you
how when the settings are applied properly and you need to re ingest
how the fish bucket can kind of get in the way of that.
And how does how to get around that. But we'll be talking about that in another lab. So this covers all the basics about inputs dot com configurations for file monitors.
If you want Teoh, explore more options and see what else you can do with it. You can read through in the admin manual inputs dot com spec file,
and you'll be able to find any other possible configuration. But this covers the big ones that you'll have to use most often, so that wraps up this lab and we'll see you in the next one.