Security

not picking up monitored file - No configurations match

gekoner
Communicator

I have a very similar issues as MasterOogway mine is just on Windows. Running ver 4.1.6
I have a simple monitor set to watch for a specific file name with a regex to define the date stamped file. The file in question is named, /Logs/20110321/SERVER_APP_01_20110321_0001.txt

On my LWF I have the following simple inputs.conf definition:

F:\Program Files (x86)\App\App Server\Logs\...\*.txt.

From ../splunkd.log I get the following error:

DEBUG TailingProcessor - No configurations match, will ignore path='F:\Program Files (x86)\App\App Server\Logs\20110321\SERVER_APP_01_20110321_0001.txt

DEBUG TailingProcessor -     Not using stanza for this item (Did not match whitelist '^F:\\Program Files (x86)\\App\\App Server\\Logs\\.*\\[^\\]*\.txt$'.).

My question is, "why does this not match?" It obviously finds the file based on the regex.

FULL STANZA

#Monitor App Server Logs
[monitor://F:\Program Files (x86)\App\App Server\Logs\...\*.txt]
sourcetype = APP
1 Solution

gekoner
Communicator

Looks like there is a problem with the wildcards ... and *.

Tried with a whitelist instead and it works.
[monitor://F:\Program Files (x86)\App\App Server\Logs] sourcetype = APP whitelist = *..txt$ recursive = true

Thank you Splunk support - Yann

View solution in original post

gekoner
Communicator

Looks like there is a problem with the wildcards ... and *.

Tried with a whitelist instead and it works.
[monitor://F:\Program Files (x86)\App\App Server\Logs] sourcetype = APP whitelist = *..txt$ recursive = true

Thank you Splunk support - Yann

gkanapathy
Splunk Employee
Splunk Employee

Interesting, it might be a bug. The regex contains (x86), and the parentheses there are only used to group, not to match. The correct matching regex would have \(x86\) instead. That should have been generated correctly by Splunk from the monitor clause. I'm not sure of a good workaround.

gekoner
Communicator

see above for full stanza

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

I wouldn't expect crcSalt to do anything under these circumstances. This has to do with the whitelist not being matched, which isn't affected by the salt. Could you paste the entire monitor stanza into the description from your inputs.conf?

0 Karma

gekoner
Communicator

ohh, and I tried adding "crcSalt = " to inputs.conf

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...