https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18577#M13670 <P>see above for full stanza</P> Fri, 27 May 2011 19:34:33 GMT gekoner 2011-05-27T19:34:33Z https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18574#M13667 <P>I have a very similar issues as MasterOogway mine is just on Windows. Running ver 4.1.6<BR /> I have a simple monitor set to watch for a specific file name with a regex to define the date stamped file. The file in question is named, /Logs/20110321/SERVER_APP_01_20110321_0001.txt</P> <P>On my LWF I have the following simple inputs.conf definition:</P> <PRE><CODE>F:\Program Files (x86)\App\App Server\Logs\...\*.txt. </CODE></PRE> <P>From ../splunkd.log I get the following error:</P> <PRE><CODE>DEBUG TailingProcessor - No configurations match, will ignore path='F:\Program Files (x86)\App\App Server\Logs\20110321\SERVER_APP_01_20110321_0001.txt DEBUG TailingProcessor - Not using stanza for this item (Did not match whitelist '^F:\\Program Files (x86)\\App\\App Server\\Logs\\.*\\[^\\]*\.txt$'.). </CODE></PRE> <P>My question is, "why does this not match?" It obviously finds the file based on the regex. </P> <P>FULL STANZA</P> <PRE><CODE>#Monitor App Server Logs [monitor://F:\Program Files (x86)\App\App Server\Logs\...\*.txt] sourcetype = APP </CODE></PRE> Mon, 28 Sep 2020 09:37:29 GMT https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18574#M13667 gekoner 2020-09-28T09:37:29Z https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18575#M13668 <P>ohh, and I tried adding "crcSalt = <SOURCE>" to inputs.conf</SOURCE></P> Fri, 27 May 2011 19:29:03 GMT https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18575#M13668 gekoner 2011-05-27T19:29:03Z https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18576#M13669 <P>I wouldn't expect crcSalt to do anything under these circumstances. This has to do with the whitelist not being matched, which isn't affected by the salt. Could you paste the entire monitor stanza into the description from your inputs.conf?</P> Fri, 27 May 2011 19:31:00 GMT https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18576#M13669 jbsplunk 2011-05-27T19:31:00Z https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18577#M13670 <P>see above for full stanza</P> Fri, 27 May 2011 19:34:33 GMT https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18577#M13670 gekoner 2011-05-27T19:34:33Z https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18578#M13671 <P>Interesting, it might be a bug. The regex contains <CODE>(x86)</CODE>, and the parentheses there are only used to group, not to match. The correct matching regex would have <CODE>\(x86\)</CODE> instead. That should have been generated correctly by Splunk from the monitor clause. I'm not sure of a good workaround.</P> Fri, 27 May 2011 23:10:57 GMT https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18578#M13671 gkanapathy 2011-05-27T23:10:57Z https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18579#M13672 <P>Looks like there is a problem with the wildcards ... and *.</P> <P>Tried with a whitelist instead and it works.<BR /> [monitor://F:\Program Files (x86)\App\App Server\Logs] sourcetype = APP whitelist = *..txt$ recursive = true</P> <P>Thank you Splunk support - Yann</P> Wed, 01 Jun 2011 15:41:51 GMT https://community.splunk.com/t5/Security/not-picking-up-monitored-file-No-configurations-match/m-p/18579#M13672 gekoner 2011-06-01T15:41:51Z