Archive

not picking up monitored file - No configurations match

Communicator

I have a very similar issues as MasterOogway mine is just on Windows. Running ver 4.1.6
I have a simple monitor set to watch for a specific file name with a regex to define the date stamped file. The file in question is named, /Logs/20110321/SERVER_APP_01_20110321_0001.txt

On my LWF I have the following simple inputs.conf definition:

F:\Program Files (x86)\App\App Server\Logs\...\*.txt.

From ../splunkd.log I get the following error:

DEBUG TailingProcessor - No configurations match, will ignore path='F:\Program Files (x86)\App\App Server\Logs\20110321\SERVER_APP_01_20110321_0001.txt

DEBUG TailingProcessor -     Not using stanza for this item (Did not match whitelist '^F:\\Program Files (x86)\\App\\App Server\\Logs\\.*\\[^\\]*\.txt$'.).

My question is, "why does this not match?" It obviously finds the file based on the regex.

FULL STANZA

#Monitor App Server Logs
[monitor://F:\Program Files (x86)\App\App Server\Logs\...\*.txt]
sourcetype = APP
1 Solution

Communicator

Looks like there is a problem with the wildcards ... and *.

Tried with a whitelist instead and it works.
[monitor://F:\Program Files (x86)\App\App Server\Logs] sourcetype = APP whitelist = *..txt$ recursive = true

Thank you Splunk support - Yann

View solution in original post

Communicator

Looks like there is a problem with the wildcards ... and *.

Tried with a whitelist instead and it works.
[monitor://F:\Program Files (x86)\App\App Server\Logs] sourcetype = APP whitelist = *..txt$ recursive = true

Thank you Splunk support - Yann

View solution in original post

Splunk Employee
Splunk Employee

Interesting, it might be a bug. The regex contains (x86), and the parentheses there are only used to group, not to match. The correct matching regex would have \(x86\) instead. That should have been generated correctly by Splunk from the monitor clause. I'm not sure of a good workaround.

Communicator

see above for full stanza

0 Karma

Splunk Employee
Splunk Employee

I wouldn't expect crcSalt to do anything under these circumstances. This has to do with the whitelist not being matched, which isn't affected by the salt. Could you paste the entire monitor stanza into the description from your inputs.conf?

0 Karma

Communicator

ohh, and I tried adding "crcSalt = " to inputs.conf

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!