All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I verify my monitoring of a log file in Splunk Add-on for Microsoft Windows?

mikemohawk
Explorer
‎04-11-2018 12:43 PM

I want to monitor the Sailpoint.log file on a Windows client. I've put both the full path and just the directory. The last to lines in the file have been both commented and uncommented. I've also run btool to see if there is a syntax error.
inputs.conf entry
[monitor://C:\Identity IQ]

disabled = false

whitelist = .log

I am very new to this and more of a linux guy. Is this syntax correct? If so can someone give me the precise syntax to use for a search?

Regards

Reply

mikemohawk
Explorer
‎04-13-2018 10:56 AM

Consider this question answered by the requester.

0 Karma
Reply

brad_thomas
Explorer
‎04-11-2018 02:32 PM

Your last 2 lines are commented out. Remove the '#' from each line so it reads:

[monitor://C:\Identity IQ]
disabled = false
whitelist = .log

Then to verify that log files are being indexed, you can run the following search (with the correct time frame selected)

source="C:\Identity IQ*"

This will return any files that have been indexed in that directory.

0 Karma
Reply

mikemohawk
Explorer
‎04-12-2018 04:28 AM

Thank you Brad.

0 Karma
Reply

mikemohawk
Explorer
‎04-12-2018 06:56 AM

I've tried it multiple times and still doesn't work.
I don't have direct access to the server so I have a Windows admin running commands and he's tried **splunk add monitor c:\Identity IQ\
error : Must be in the form '-parameter value"
Also tried
C:\Program Files\SplunkUniversalForwarder\bin>splunk add monitor “c:\Identity IQ\”
Same error message. Using both inputs.conf and CLI it fails. Can't be this hard to just add this path. Been looking for answers out here for over a day with no luck. Did this in linux in 5 minutes. Suggestions would greatly be appreciated.
Thanks

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-12-2018 04:44 AM

@mikemohawk,

Did this resolve your issue? If so, I can move the comment by brad_thomas to an answer so you could mark it accepted?

If not, then no worries, just post back with what it's doing now! (Personally, I thought you need a backslash at the end of the monitor stanza name, but I can certainly be wrong).

0 Karma
Reply

mikemohawk
Explorer
‎04-11-2018 12:45 PM

what is this moderation issue? Are they expecting more information?

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top