Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

monitor file with dynamic directiory name

wickett
New Member
‎11-02-2011 05:42 AM

I have the following folder listing in C:\Resources\Directory\ which the naming of the folder are dynamic. It changes dynamically when logs are created with this type of prefix (dynamic).(dynamic).(Fixed)

Example :
(dynamic) . (dynamic) . (Fixed)
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.DiagnosticStore
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.localInstallDirectory
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.LogStorage

Questions :

  • Let say I want to index all files under 0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.DiagnosticStore. Can I structure my inputs.conf monitor stanza using wildcards example for all new created dynamic foldername ? :
[monitor://C:\Resources\Directory\*.*.DiagnosticStore]
disabled = false
followTail = 0
sourcetype = mysourcetype
  • Let say in my inputs.conf I index entire folder under C:\Resources\Directory but there is several files under *.KeyValidationWebRole.DiagnosticStore which needs props.conf to change the encoding. How do I write the config stanza that need the encoding exception ?
0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-02-2011 08:04 AM

Looking at the online docs I see the following:

Note concerning wildcards and monitor:

  • You can use wildcards to specify your input path for monitored input. Use "..." for recursive directory matching and "*" for wildcard matching in a single directory segment.
  • "..." recurses through directories. This means that /foo/.../bar will match foo/bar, foo/1/bar, foo/1/2/bar, etc.
  • You can use multiple "..." specifications in a single input path. For example: /foo/.../bar/...
  • The asterisk () matches anything in a single path segment; unlike "...", it does not recurse. For example, /foo//bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/1/2/bar . A second example: /foo/m*r/bar matches /foo/bar, /foo/mr/bar, /foo/mir/bar, /foo/moor/bar, etc.
  • You can combine "" and "..." as required: foo/.../bar/ matches any file in the bar directory within the specified path.

Are there files under the DiagnosticStore directory?

[monitor://C:\Resources\Directory...DiagnosticStore...]

Does this work.

Here is the link to more info in the Docs:

http://docs.splunk.com/Documentation/Splunk/4.2.4/admin/Inputsconf

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-02-2011 06:16 AM

On the first question, I would use the "..." syntax in your monitor stanza. For instance:

[monitor://C:\Resources\Directory...DiagnosticStore]

On the second question you can use the "..." syntax as well in the prop.conf to pull out only certain files and give them specific encoding. For instance:

[source::...KeyValidationWebRole.DiagnosticStore...]
sourcetype=awesome

Might help to see what the file names under this directory.

0 Karma
Reply

wickett
New Member
‎11-02-2011 07:10 AM

Tried your solution and it does not work

Not working

[monitor://C:\Resources\Directory\ ..DiagnosticStore]

[monitor://C:\Resources\Directory\...DiagnosticStore]

[monitor://C:\Resources\Directory\*DiagnosticStore]

Any suggestions ??

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...