https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196482#M39084 <P>That looks OK. Make sure you're really searching for the logs correctly (specifying index for instance, searching over all time etc), and if you're sure the logs aren't really there, troubleshoot by checking splunkd.log on the forwarder. Also this script can be of help in order to determine the status of Splunk's file monitor: <A href="http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/">http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/</A></P> Wed, 27 Aug 2014 09:04:49 GMT Ayn 2014-08-27T09:04:49Z https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196481#M39083 <P>I want to monitor <STRONG>XML</STRONG> files residing inside sub-directories.</P> <P><STRONG>Files inside Path :</STRONG> <BR /></P> <PRE><CODE>D:\Roll\DIP\SessionLogs\35\1.xml D:\Roll\DIP\SessionLogs\35\2.xml D:\Roll\DIP\SessionLogs\35\3.xml D:\Roll\DIP\SessionLogs\36\1.xml D:\Roll\DIP\SessionLogs\36\2.xml D:\Roll\DIP\SessionLogs\36\3.xml </CODE></PRE> <P>I set inputs.conf: (in Universal forwarder)</P> <PRE><CODE>[monitor://D:\Roll\DIP\SessionLogs\] index = myindex sourcetype = session_log </CODE></PRE> <P>props.conf (in indexer)</P> <PRE><CODE>[session_logs] KV_MODE = xml </CODE></PRE> <P>I dont get the logs in Search head ? Something am i missing here ..?</P> Wed, 27 Aug 2014 08:58:45 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196481#M39083 splunker12er 2014-08-27T08:58:45Z https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196482#M39084 <P>That looks OK. Make sure you're really searching for the logs correctly (specifying index for instance, searching over all time etc), and if you're sure the logs aren't really there, troubleshoot by checking splunkd.log on the forwarder. Also this script can be of help in order to determine the status of Splunk's file monitor: <A href="http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/">http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/</A></P> Wed, 27 Aug 2014 09:04:49 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196482#M39084 Ayn 2014-08-27T09:04:49Z https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196483#M39085 <P>The below will monitor everything..</P> <PRE><CODE>[monitor://D:\Roll\DIP\SessionLogs\...\*.xml] index = myindex sourcetype = session_log recursive = true </CODE></PRE> <P>Thanks,<BR /> L</P> Wed, 27 Aug 2014 09:07:54 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196483#M39085 linu1988 2014-08-27T09:07:54Z https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196484#M39086 <P>Note: A single dot (.) is not a wildcard, and is the regex equivalent of ..</P> <PRE><CODE>Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work: [monitor://E:\...\foo\*.log] Splunk Enterprise logs an error and fails to index the desired files. This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues. </CODE></PRE> Wed, 27 Aug 2014 09:37:11 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196484#M39086 splunker12er 2014-08-27T09:37:11Z https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196485#M39087 <P>I tried in my windows universal forwarder the script , but cant execute it ,</P> <PRE><CODE>C:\Program Files\SplunkUniversalForwarder\bin&gt;splunk cmd python "c:\filestatus.py" CreateProcess: The system cannot find the file specified. couldn't run "c:\Program Files\SplunkUniversalForwarder\bin\python": The system cannot find the file specified. </CODE></PRE> Wed, 27 Aug 2014 09:41:37 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196485#M39087 splunker12er 2014-08-27T09:41:37Z https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196486#M39088 <P>I tried ,</P> <PRE><CODE>&gt;splunk list monitor </CODE></PRE> <P>Its shows the list of files &amp; directories that are being monitored, but still cant view the data in SH. also there is no any errors in splunkd log.</P> Wed, 27 Aug 2014 09:43:40 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196486#M39088 splunker12er 2014-08-27T09:43:40Z https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196487#M39089 <P>Below Works good :</P> <P>At forwarder : (inputs.conf)</P> <PRE><CODE>[monitor://D:\Roll\DIP\SessionLogs\] recursive = true index = myindex sourcetype = session_log whitelist = \.xml$ </CODE></PRE> <P>At Indexer: (props.conf)</P> <PRE><CODE>[session_log] DATETIME_CONFIG = CURRENT KV_MODE = xml LINE_BREAKER = (&lt;/Data&gt;) ###Last element of the XML file MAX_TIMESTAMP_LOOKAHEAD = 150 NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = False pulldown_type = 1 </CODE></PRE> Thu, 28 Aug 2014 07:29:39 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-How-to-monitor-XML-files-within-a-sub-directory/m-p/196487#M39089 splunker12er 2014-08-28T07:29:39Z