Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I monitor input on Windows machine with a w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I monitor input on Windows machine with a wild card character?
I want to monitor a log file from the below location on a Windows server.
D:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps\config\
However, based on the version of tomcat, the folder name changes. It could be Tomcat 6.0 or Tomcat 7.5 — etc. — on some servers. So, I tried with a different input stanza on the Universal Forwarder in the inputs.conf file.
[monitor://d:\Program Files\Apache Software Foundation\Tomcat*\webapps\config\audit.log]
[monitor://d:\Program Files\Apache Software Foundation\\*\webapps\config\audit.log]
[monitor://d:\Program Files\Apache Software Foundation\\...\webapps\config\audit.log]
None of the above options work and in the Splunkd.log file, I can see the below entry
09-28-2018 13:44:24.422 +0000 INFO TailingProcessor - Adding watch on path: d:\Program Files\Apache Software Foundation.
which means it is not recognizing folder structure mentioned in input stanza.
Please suggest a solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you try this: (made D capital)
[monitor://D:\Program Files\Apache Software Foundation\*\webapps\config\audit.log]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried the same with D in caps but no success. Splunkd log still shows below
Adding watch on path: D:\Program Files\Apache Software Foundation
It seems that it is not recognizing rest of the path in monitor stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do that very same thing for Tomcat logs since the server team cannot make up their mind where Apache should live.
Java and GC Logs
[monitor:///opt/apache-tomcat/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d
[monitor:///opt/prpc/prpclogs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d
[monitor:///opt/prpc/pegalogs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d
[monitor:///opt/prpc/logs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for you inputs. However, in my case the UF is running on Windows OS and your stanza seems to be for Unix based system. I tried multiple options on windows but nothing is working.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
