Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I monitor input on Windows machine with a wild card character?

santosh_sshanbh
Path Finder
‎09-28-2018 06:56 AM

I want to monitor a log file from the below location on a Windows server.

D:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps\config\

However, based on the version of tomcat, the folder name changes. It could be Tomcat 6.0 or Tomcat 7.5 — etc. — on some servers. So, I tried with a different input stanza on the Universal Forwarder in the inputs.conf file.

[monitor://d:\Program Files\Apache Software Foundation\Tomcat*\webapps\config\audit.log]
[monitor://d:\Program Files\Apache Software Foundation\\*\webapps\config\audit.log]
[monitor://d:\Program Files\Apache Software Foundation\\...\webapps\config\audit.log]

None of the above options work and in the Splunkd.log file, I can see the below entry

09-28-2018 13:44:24.422 +0000 INFO  TailingProcessor - Adding watch on path: d:\Program Files\Apache Software Foundation.

which means it is not recognizing folder structure mentioned in input stanza.

Please suggest a solution.

0 Karma
Reply

493669
Super Champion
‎09-28-2018 09:24 AM

can you try this: (made D capital)

[monitor://D:\Program Files\Apache Software Foundation\*\webapps\config\audit.log]
Reply

santosh_sshanbh
Path Finder
‎09-28-2018 08:50 PM

Tried the same with D in caps but no success. Splunkd log still shows below

Adding watch on path: D:\Program Files\Apache Software Foundation

It seems that it is not recognizing rest of the path in monitor stanza.

0 Karma
Reply

JDukeSplunk
Builder
‎09-28-2018 10:56 AM

We do that very same thing for Tomcat logs since the server team cannot make up their mind where Apache should live.

Java and GC Logs

[monitor:///opt/apache-tomcat/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d

[monitor:///opt/prpc/prpclogs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d

[monitor:///opt/prpc/pegalogs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d

[monitor:///opt/prpc/logs/*/GC.log]
disabled = 0
index=application
sourcetype = prod:sun_jvm
ignoreOlderThan = 30d

0 Karma
Reply

santosh_sshanbh
Path Finder
‎09-28-2018 08:33 PM

Thanks for you inputs. However, in my case the UF is running on Windows OS and your stanza seems to be for Unix based system. I tried multiple options on windows but nothing is working.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...