Forums: SplunkAdministration: Inputs.conf - Configuration Hmpph. One works while the next fails

I am trying to index a log.xml file and have had NO luck unless I specify the full directory and file name. What I am trying to do is to do a [monitor] but use the /.../ to skip over some host specific naming conventions in the directory structure, and then pick off the log.xml name.
Look at what works and what fails and tell me if I am going goofy....don't answer that.

Works
[monitor::n01/oraadmin1/diag/tnslsnr/moberly/listener_moberly/alert/log.xml]
disabled = false
followTail = 1
sourcetype = oracle_listener_xml

Fails this one uses a props file to hash out the odd date structure.
[monitor:///n01/oraadmin1/diag/tnslsnr/.../alert/]
disabled=false
followTail = 1
sourcetype=oracle_listener_xml
_whitelist=log.xml$
#_whitelist=.*\/log.xml$
crcSalt=<SOURCE>

Props.conf
[oracle_listener_xml]
sourcetype=oracle_listener_xml
SHOULD_LINEMERGE=true
AUTO_LINEMERGE=true
BREAK_ONLY_BEFORE_DATE=true
MAX_EVENTS=1000
TIME_PREFIX=^
TIME_FORMAT=%a %b %d %T %Y
MAX_TIMESTAMP_LOOKAHEAD=26

and a sample of the log.xml file:

<msg time='2009-11-04T13:03:35.603-06:00' org_id='oracle' comp_id='tnslsnr'
type='UNKNOWN' level='16' host_id='moberly'
host_addr='10.215.4.33' version='1'>
<txt>04-NOV-2009 13:03:35 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=jdbc)(USER=))(SERVER=DEDICATED)(SERVICE_NAME=oru2
66a.westlan.com)(FAILOVER_MODE=(TYPE=SELECT)(METHOD=BASIC)(RETRIES=180)(DELAY=5))) * (ADDRESS=(PROTOCOL=tcp)(HOST=10.
215.4.10)(PORT=23859)) * establish * oru266a.westlan.com * 0
</txt>
</msg>

Not sure if it matters that there is another query down almost the same path to another file in a diff directory screwing things up within the inputs.conf. that is listed here:

1. Listener Logs

[monitor:///n01/oraadmin1/diag/tnslsnr/]
disabled=false
sourcetype=oracle_listener
#_whitelist=.*\/(alert|trace)\/(log.xml|listener\_[\w]+\.log)$ - commented out despite working because the two files it finds, log.xml and listener.log need two separate sourcetypes but they use two separate date types.
_whitelist=.*\/trace\/listener\_[\w]+\.log$
crcSalt=<SOURCE>

Sorry if this is long winded, but I can't seem to get the simple log.xml file to index.

Paul
...a part of v4.0 to the end.

Yeah. I never use that ... stuff in monitor clauses, I find them confusing. I use whitelist and blacklist only.

So, you did find a monitor stanza that works. Use

inputs.conf:
[monitor:///n01/oraadmin1/diag/tnslsnr/]
disabled=false
_whitelist=.*\/(alert|trace)\/(log.xml|listener\_[\w]+\.log)$
crcSalt=<SOURCE>

props.conf:
[source::.../log.xml]
sourcetype = oracle_listener_xml

[source::.../listener*.log]
sourcetype=oracle_listener

[Revised on Thu, 05 Nov 2009 16:05:42 -0800]

actually it does make slight difference (it's easier) if you're collecting on a light forwarder. is that the case?

Yes....I am using this on a LightForwarder.
I was unaware that you could break out multiple [source::.../<file>] when originally it came from one dir path. I will try this and give feed back soon.
Thank you for the quick reply.

Paul

....now that's what I am talking about Willis!

/n01/oraadmin1/diag/tnslsnr
/n01/oraadmin1/diag/tnslsnr/<servername>/listener_<servername>/trace/listener_mobridge.log
/n01/oraadmin1/diag/tnslsnr/<server name>/listener_<servername>/alert/log.xml
/n01/oraadmin1/diag/tnslsnr/<servername>/listener_<servername>/trace/listener_moberly.log
/n01/oraadmin1/diag/tnslsnr/<servername>/listener_<servername>/alert/log.xml

Thank you. I will store this method in my back pocket for future use.

Paul