- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How do I verify my monitoring of a log file in Spl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I verify my monitoring of a log file in Splunk Add-on for Microsoft Windows?
I want to monitor the Sailpoint.log file on a Windows client. I've put both the full path and just the directory. The last to lines in the file have been both commented and uncommented. I've also run btool to see if there is a syntax error.
inputs.conf entry
[monitor://C:\Identity IQ]
disabled = false
whitelist = .log
I am very new to this and more of a linux guy. Is this syntax correct? If so can someone give me the precise syntax to use for a search?
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Consider this question answered by the requester.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your last 2 lines are commented out. Remove the '#' from each line so it reads:
[monitor://C:\Identity IQ]
disabled = false
whitelist = .log
Then to verify that log files are being indexed, you can run the following search (with the correct time frame selected)
source="C:\Identity IQ*"
This will return any files that have been indexed in that directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Brad.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried it multiple times and still doesn't work.
I don't have direct access to the server so I have a Windows admin running commands and he's tried **splunk add monitor c:\Identity IQ\
error : Must be in the form '-parameter value"
Also tried
C:\Program Files\SplunkUniversalForwarder\bin>splunk add monitor “c:\Identity IQ\”
Same error message. Using both inputs.conf and CLI it fails. Can't be this hard to just add this path. Been looking for answers out here for over a day with no luck. Did this in linux in 5 minutes. Suggestions would greatly be appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mikemohawk,
Did this resolve your issue? If so, I can move the comment by brad_thomas to an answer so you could mark it accepted?
If not, then no worries, just post back with what it's doing now! (Personally, I thought you need a backslash at the end of the monitor stanza name, but I can certainly be wrong).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is this moderation issue? Are they expecting more information?
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
