Getting Data In

How to edit inputs.conf to monitor logs on Windows machine?

Path Finder

To monitor a file on Windows machine with names like :
access.201609230000_00

I wrote the following stanza in inputs.conf

[monitor:///D:/Program Files/Tableau/Tableau Server/data/tabsvc/logs/httpd/access*]
   blacklist = \.(gz|bz2|z|zip)$
   index = tableau
   sourcetype = httpd_access

But i am getting a error :

 error getting attributes of path "D:/Program Files/Tableau/Tableau Server/data/tabsvc/logs/httpd/access*": The filename, directory name, or volume label syntax is incorrect.

How to resolve this?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You need to use backslashes (the Windows way basically):

[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

You should also escape the dot from your blacklist.
See this

EDIT (include longer answer from comments);

Have you tried any of the following two approaches?

# Use a dot before the wildcard
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

# Regex to the rescue. 
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\]
whitelist = access\.[\d\_]+$
# I don't think you need the blacklist anymore
# blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

Or alternatively and just to test:

# Use full name. Not exactly what you need but worth trying
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.2016_09_23_00_00_00]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

Do you still get the same error when using any of the above?

Thanks,
J

View solution in original post

SplunkTrust
SplunkTrust

You need to use backslashes (the Windows way basically):

[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

You should also escape the dot from your blacklist.
See this

EDIT (include longer answer from comments);

Have you tried any of the following two approaches?

# Use a dot before the wildcard
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

# Regex to the rescue. 
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\]
whitelist = access\.[\d\_]+$
# I don't think you need the blacklist anymore
# blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

Or alternatively and just to test:

# Use full name. Not exactly what you need but worth trying
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.2016_09_23_00_00_00]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

Do you still get the same error when using any of the above?

Thanks,
J

View solution in original post

Path Finder

The problem is not with slashes. All my other logs are getting monitored perfectly fine.
Only this one, where I have used wild card, is not getting monitored.

Windows seem to have a problem with *

0 Karma

SplunkTrust
SplunkTrust

Are you getting the same error message when you use the latest config I wrote above?

I can't see anything wrong with the wildcard and I've used it before on Windows but just in case, have you tried any of the following two approaches?

# Use a dot before the wildcard
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

# Regex to the rescue. 
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\]
whitelist = access\.[\d\_]+$
# I don't think you need the blacklist anymore
# blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

Or alternatively and just to test:

# Use full name. Not exactly what you need but worth trying
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.2016_09_23_00_00_00]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

Do you still get the same error when using any of the above?

0 Karma

Path Finder

[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd]
whitelist = access.[\d_]+$
# I don't think you need the blacklist anymore
# blacklist = .(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access

This worked.
Thanks ..!!

0 Karma

Path Finder

Tried backslashes as well. But of no help.

the problem is with *.

0 Karma

SplunkTrust
SplunkTrust

My bad, I added 3 slashes after monitor and there should only be 2.

[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd\access*]
blacklist = \.(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
0 Karma