format of the log file format for splunk

Question

The current log file name I have is: catalina.2010-02-24.log.

I want to add this for splunk indexing, but i am running into problems, since there is no static file name, since everyday tomcat renames the log file.

[tail:///var/logs/catalina.2010-02-24.log] is not gonna work. Is there a way around this problem

score 2 · Accepted Answer · answered Feb 25 '10 at 09:08

2

You can index either the whole directory, or use wildcards to select the appropriate files.

In your case, [monitor://var/logs/catalina.*.log] should work correctly.

answered Feb 25 '10 at 09:08

dart

61
2

Michael Mior · Answer 2 · 2010-02-24T22:47:06.970

0

You could add a script that runs as a daily cron job which symlinks the file based on the date to catalina.current.log or something such as this.

Example:

ln -sf /var/logs/catalina.`date +%Y-%m-%d`.log /var/logs/catalina.current.log

Then of course just use catalina.current.log to access the current day's log.

edited Feb 24 '10 at 22:47

answered Feb 24 '10 at 22:32

Michael Mior

388
1
5
17

Disclaimer: I know nothing about Splunk, so this may cause problems. – Michael Mior Feb 24 '10 at 22:49
You could also index `/var/logs/catalina.*.log` I believe. Or put the logs in `/var/logs/catalina` and monitor this directory. – Michael Mior Feb 24 '10 at 22:54

format of the log file format for splunk

2 Answers2