Dashboards & Visualizations

monitor file with dynamic directiory name

wickett
New Member

I have the following folder listing in C:\Resources\Directory\ which the naming of the folder are dynamic. It changes dynamically when logs are created with this type of prefix (dynamic).(dynamic).(Fixed)

Example :
(dynamic) . (dynamic) . (Fixed)
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.DiagnosticStore
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.localInstallDirectory
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.LogStorage

Questions :

  • Let say I want to index all files under 0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.DiagnosticStore. Can I structure my inputs.conf monitor stanza using wildcards example for all new created dynamic foldername ? :
[monitor://C:\Resources\Directory\*.*.DiagnosticStore]
disabled = false
followTail = 0
sourcetype = mysourcetype
  • Let say in my inputs.conf I index entire folder under C:\Resources\Directory but there is several files under *.KeyValidationWebRole.DiagnosticStore which needs props.conf to change the encoding. How do I write the config stanza that need the encoding exception ?
0 Karma

tgow
Splunk Employee
Splunk Employee

Looking at the online docs I see the following:

Note concerning wildcards and monitor:

  • You can use wildcards to specify your input path for monitored input. Use "..." for recursive directory matching and "*" for wildcard matching in a single directory segment.
  • "..." recurses through directories. This means that /foo/.../bar will match foo/bar, foo/1/bar, foo/1/2/bar, etc.
  • You can use multiple "..." specifications in a single input path. For example: /foo/.../bar/...
  • The asterisk () matches anything in a single path segment; unlike "...", it does not recurse. For example, /foo//bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/1/2/bar . A second example: /foo/m*r/bar matches /foo/bar, /foo/mr/bar, /foo/mir/bar, /foo/moor/bar, etc.
  • You can combine "" and "..." as required: foo/.../bar/ matches any file in the bar directory within the specified path.

Are there files under the DiagnosticStore directory?

[monitor://C:\Resources\Directory...DiagnosticStore...]

Does this work.

Here is the link to more info in the Docs:

http://docs.splunk.com/Documentation/Splunk/4.2.4/admin/Inputsconf

0 Karma

tgow
Splunk Employee
Splunk Employee

On the first question, I would use the "..." syntax in your monitor stanza. For instance:

[monitor://C:\Resources\Directory...DiagnosticStore]

On the second question you can use the "..." syntax as well in the prop.conf to pull out only certain files and give them specific encoding. For instance:

[source::...KeyValidationWebRole.DiagnosticStore...]
sourcetype=awesome

Might help to see what the file names under this directory.

0 Karma

wickett
New Member

Tried your solution and it does not work

Not working

[monitor://C:\Resources\Directory\ ..DiagnosticStore]

[monitor://C:\Resources\Directory\...DiagnosticStore]

[monitor://C:\Resources\Directory\*DiagnosticStore]

Any suggestions ??

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...