Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
TOP
Products/Services
Specifications/Technical Information
solution
User stories
support
Seminar content
Evaluation machine application/FAQ
Document request
inquiry
Event/Seminar
video on demand

How to set up the log to be rotated

release date
2015-05-07
last updated
2015-05-07
version
Splunk Enterprise 6.0.1
Overview
How to set up the log to be rotated
Reference information
content

Splunk judges whether the monitored data has been ingested by looking at the hash value of the data.

Since the hash value changes when the log is rotated and converted to compressed format, Splunk recognizes data that has already been ingested as new data and ingests it again.

Duplicate capture of events can occur if the rotated file is in compressed format and the watched directory contains the rotated file.

In this case, it is possible to set a whitelist or blacklist to exclude rotated files from being monitored.

*About whitelist and blacklist settings

  • whitelist: Import only file names that contain the specified string
  • blacklist: Import only file names that do not contain the specified string

Settings to exclude specific files from scanning

[Setting procedure for importing only specific files in whitelist]

  • Edit the following configuration files.
$SPLUNK_HOME/etc/<任意のapp>/local/inputs.conf
[monitor://<監視対象ディレクトリおよびファイルのパス等>]
whitelist = \.log$

*Set a regular expression that specifies the target to be imported in the whitelist.

  • Restart the Splunk service.

[Setting procedure to exclude only specific files from being imported in blacklist]

  • Edit the following configuration files.
$SPLUNK_HOME/etc/<任意のapp>/local/inputs.conf
[monitor://<監視対象ディレクトリおよびファイルのパス等>]
blacklist = \.gz$

* Set a regular expression that specifies the exclusion target for importing in blacklist.

  • Restart the Splunk service.

that's all

"

to previous page