Solved: How to edit my monitor stanza with wildcards to mo...

sbattista09 · ‎10-28-2016

I need help with setting these wild cards, it seems like Splunk is not picking up the file in the sub folders. Logs are in:

 /opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/year/month/day/day/APP-blah-blah-bhal-LOG

There is data in the sub folder in /year/month/day/day/, and then there are the file names that seem random, but start with APP and end with LOG.

Below is what I have set up and no data is coming in.

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../.../.../.../APP*LOG]
disabled = false
recursive = false
sourcetype = blah
index = foofooblahhhhhh

goodsellt · ‎10-28-2016

The three dots are already recursive, so you should be able to try:

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../APP*LOG]

And have it work correctly. It's possible the multiples of those are throwing off the parser.

View solution in original post

goodsellt · ‎10-28-2016

The three dots are already recursive, so you should be able to try:

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../APP*LOG]

And have it work correctly. It's possible the multiples of those are throwing off the parser.

goodsellt · ‎10-28-2016

Also set recursive to true, or else Splunk won't monitor sub-directories at all.

goodsellt · ‎10-28-2016

Also you may want to change the last bit so its (BEGINNING)*.LOG (or w/e the file extension is if there is one), so for example APP*.LOG. However if it's just a plain file (no extension) then your way should be fine.

How to edit my monitor stanza with wildcards to monitor a file with subfolders?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...