Getting Data In
Highlighted

FS Change Config

Path Finder

I have the following fschange config in my inputs.conf file,

[default]
host = FF-ITP-PRD-01

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0

[fschange:D:\Logs\FF-ITP-PRD-01\ITPDP [FF_ITP_Server] #1]
index = app
filters = terminal-blacklist
pollPeriod = 300
fullEvent = true
delayInMills = 1000

[fschange:D:\Logs\FF-ITP-PRD-01\ITPDP [FF_ITP_Server] #2]
index = app
filters = terminal-blacklist
pollperiod = 300
fullEvent = true
delayInMills = 1000

[filter:blacklist:terminal-blacklist]
regex1 =D:\Logs\FF-ITP-PRD-01\ITPDP [FF_ITP_Server] #1\itpdp*.log
regex2 =D:\Logs\FF-ITP-PRD-01\ITPDP [FF_ITP_Server] #2\itpdp*.log

I do no want Splunk to index itpdp log files that get generated in the following folders so I created a blacklist however it does not seems to work.

D:\Logs\FF-ITP-PRD-01\ITPDP [FF_ITP_Server] #1]

D:\Logs\FF-ITP-PRD-01\ITPDP [FF_ITP_Server] #2]

could someone review the above and advise if there is a problem with my inputs.conf file

Many thanks.

Tags (1)
0 Karma
Highlighted

Re: FS Change Config

Ultra Champion

I'm not sure if I understand your example code correctly, but it's quite possible that hashes (#) and square brackets ([,]) can not be part of your fschange stanzas (if that is actually the case). Does your path to the log directories contain these types of character, or are you being informative towards the readers? If the last #1] and #2] in the fschange stanza are treated as comments, then you have unmatching brackets - two starting and one ending.

Somebody more knowledgeable should tell you whether these characters can be present within a stanza or if they must be escaped.

Are there any interesting error messages in splunkd.log when you restart the splunk instance where the fschange monitoring is taking place? That could be a good hint.

A possible workaround, if you cannot rename the directories, is to reference the directories with their short names. Try

dir /x d:\logs\FF-ITP-PRD-01\

which should give the short names (8.3) of the underlying files and directories, in your case something like

ITPDP_~1
ITPDP_~2 

Given the length of your real directory name, the short names should hopefully not contain brackets or hashes. At least these were the names given by my win-machine.

BTW, you know you are not supposed to [monitor] and [fschange] the same directory - but this is perhaps what the blacklist is all about.

Hope this helps,

Kristian

View solution in original post

0 Karma