Getting Data In

How to edit my monitor stanza with wildcards to monitor a file with subfolders?

sbattista09
Contributor

I need help with setting these wild cards, it seems like Splunk is not picking up the file in the sub folders. Logs are in:

 /opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/year/month/day/day/APP-blah-blah-bhal-LOG

There is data in the sub folder in /year/month/day/day/, and then there are the file names that seem random, but start with APP and end with LOG.

Below is what I have set up and no data is coming in.

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../.../.../.../APP*LOG]
disabled = false
recursive = false
sourcetype = blah
index = foofooblahhhhhh
0 Karma
1 Solution

goodsellt
Contributor

The three dots are already recursive, so you should be able to try:

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../APP*LOG]

And have it work correctly. It's possible the multiples of those are throwing off the parser.

View solution in original post

goodsellt
Contributor

The three dots are already recursive, so you should be able to try:

[monitor:///opt/app/nv/vtest/test1/logs/mylLogs/file1/file2/testing/.../APP*LOG]

And have it work correctly. It's possible the multiples of those are throwing off the parser.

View solution in original post

goodsellt
Contributor

Also set recursive to true, or else Splunk won't monitor sub-directories at all.

0 Karma

goodsellt
Contributor

Also you may want to change the last bit so its (BEGINNING)*.LOG (or w/e the file extension is if there is one), so for example APP*.LOG. However if it's just a plain file (no extension) then your way should be fine.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.