- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I monitor the same file on different drive...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I monitor the same file on different drives in windows?
I'm trying to monitor the same file on different drives on Windows systems. I tried putting a wildcard into the inputs.conf but that doesn't seem to work for a drive letter.
For instance I have these two different paths:
C:\Program Files\folder\file.txt
D:\Program Files\folder\file.txt
I tried editing my inputs.conf as below
[monitor://*:\Program Files\folder\file.txt]
[monitor://Program Files\folder\file.txt]
No luck with either one and I haven't been able to find any other questions addressing this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
was the solution found for this requirement to monitor same files under different directories ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you need a solution for a fleet of hosts, where one file might appear in a number of different known locations across different endpoints, due to inconsistent builds or what have you.. Splunk honors Windows environment variables, but does so with "linuxy" syntax. So I have the build orchestration set a system-wide envvar %APPLOGS% to either "C:\path" or "D:\path" on the host, and then do a [monitor://$APPLOGS\file.log] stanza in my inputs.conf. The key is the two different dialects of environment variable.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually we can not get this env variable created on thousands of desktops. Need a generic solution which can only be implemented using splunk config.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try a regex in the path:
[monitor://[A-Z]:\Program Files\folderfile.txt]
http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Specifyinputpathswithwildcards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you are looking for the ellipses option. See documentation:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Specifyinputpathswithwildcards
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
