Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my monitor stanza with wildcards to monitor a file with subfolders?

sbattista09
Contributor
‎10-28-2016 11:10 AM

I need help with setting these wild cards, it seems like Splunk is not picking up the file in the sub folders. Logs are in:

 /opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/year/month/day/day/APP-blah-blah-bhal-LOG

There is data in the sub folder in /year/month/day/day/, and then there are the file names that seem random, but start with APP and end with LOG.

Below is what I have set up and no data is coming in.

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../.../.../.../APP*LOG]
disabled = false
recursive = false
sourcetype = blah
index = foofooblahhhhhh
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

goodsellt
Contributor
‎10-28-2016 11:14 AM

The three dots are already recursive, so you should be able to try:

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../APP*LOG]

And have it work correctly. It's possible the multiples of those are throwing off the parser.

View solution in original post

Reply
Solved! Jump to solution
Solution

goodsellt
Contributor
‎10-28-2016 11:14 AM

The three dots are already recursive, so you should be able to try:

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../APP*LOG]

And have it work correctly. It's possible the multiples of those are throwing off the parser.

Reply
Solved! Jump to solution

goodsellt
Contributor
‎10-28-2016 11:17 AM

Also set recursive to true, or else Splunk won't monitor sub-directories at all.

0 Karma
Reply
Solved! Jump to solution

goodsellt
Contributor
‎10-28-2016 11:15 AM

Also you may want to change the last bit so its (BEGINNING)*.LOG (or w/e the file extension is if there is one), so for example APP*.LOG. However if it's just a plain file (no extension) then your way should be fine.

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...