topic Re: Windows universal forwarder localappdata in Getting Data In

Windows universal forwarder localappdata

Niro — Wed, 07 Feb 2024 20:53:16 GMT

Hello,

I need to monitor log files that are in the following directory('s'):

"c:\users\%username%\appdata\local\app\$randomnumber$\app.log"

%username% is whoever is currently logged on (but I suppose I'd be ok with "*", any user folder) and $randomnumber$ is a unique ID that's going to always be different for every desktop, possibly change over time, and possibly be more than one folder for a given user.

How would I make the file monitor stanza in inputs.conf do that?

Thanks!

Re: Windows universal forwarder localappdata

richgalloway — Wed, 07 Feb 2024 21:41:58 GMT

Use wildcards for the unknown parts.

[monitor://c:\users\*\appdata\local\app\*\app.log]

Re: Windows universal forwarder localappdata

Niro — Wed, 07 Feb 2024 22:01:10 GMT

Thanks!

I just tried it - it doesn't SEEM to be working, I'm not getting any data in splunk even though I know the files are being updated. Looking at the index (just searching index=someapp) returns no data (index does exist).

This is what I have:

[monitor://c:\users\*\appdata\local\someapp\apps\*\app.log] index = someapp sourcetype=someapp disabled=0

Re: Windows universal forwarder localappdata

richgalloway — Wed, 07 Feb 2024 22:33:35 GMT

Verify splunk has read access to the file. Check splunkd.log for messages about reading the file.

Re: Windows universal forwarder localappdata

Niro — Wed, 07 Feb 2024 22:50:09 GMT

it SHOULD have access - I don't see any errors or anything. The only thing that comes up is

"Parsing configuration stanza: monitor://c:\users\*\appdata\local\apps\*\app.log."

but no errors...

Re: Windows universal forwarder localappdata

Niro — Tue, 13 Feb 2024 18:18:31 GMT

This ended up working - not sure what was wrong before, I think the timestamps were off. But it's all there, thanks!