Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I monitor input on Windows machine with a w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I monitor input on Windows machine with a wild card character?
santosh_sshanbh
Path Finder
09-28-2018
06:56 AM
I want to monitor a log file from the below location on a Windows server.
D:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps\config\
However, based on the version of tomcat, the folder name changes. It could be Tomcat 6.0 or Tomcat 7.5 — etc. — on some servers. So, I tried with a different input stanza on the Universal Forwarder in the inputs.conf file.
[monitor://d:\Program Files\Apache Software Foundation\Tomcat*\webapps\config\audit.log]
[monitor://d:\Program Files\Apache Software Foundation\\*\webapps\config\audit.log]
[monitor://d:\Program Files\Apache Software Foundation\\...\webapps\config\audit.log]
None of the above options work and in the Splunkd.log file, I can see the below entry
09-28-2018 13:44:24.422 +0000 INFO TailingProcessor - Adding watch on path: d:\Program Files\Apache Software Foundation.
which means it is not recognizing folder structure mentioned in input stanza.
Please suggest a solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
09-28-2018
09:24 AM
can you try this: (made D capital)
[monitor://D:\Program Files\Apache Software Foundation\*\webapps\config\audit.log]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
santosh_sshanbh
Path Finder
09-28-2018
08:50 PM
Tried the same with D in caps but no success. Splunkd log still shows below
Adding watch on path: D:\Program Files\Apache Software Foundation
It seems that it is not recognizing rest of the path in monitor stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JDukeSplunk
Builder
09-28-2018
10:56 AM
We do that very same thing for Tomcat logs since the server team cannot make up their mind where Apache should live.
Java and GC Logs
[monitor:///opt/apache-tomcat/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d
[monitor:///opt/prpc/prpclogs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d
[monitor:///opt/prpc/pegalogs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d
[monitor:///opt/prpc/logs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
santosh_sshanbh
Path Finder
09-28-2018
08:33 PM
Thanks for you inputs. However, in my case the UF is running on Windows OS and your stanza seems to be for Unix based system. I tried multiple options on windows but nothing is working.
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
