Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Input.Conf with Version numbers

Cheng2Ready
Communicator
‎07-15-2025 03:09 PM 
[monitor://\\njros1bva0597\d$\LogFiles\warcraft-9.0.71\logs\*]
disabled = false
host = NJROS1BVA0621
alwaysOpenFile = 1
sourcetype = Image Importer Logs


Is there a way to add a Wild card for any upcoming version updates like below? will this work?


[monitor://\\njros1bva0597\d$\LogFiles\warcraft-9.*\logs\*]

Or does it have to be like this?

[monitor://\\njros1bva0597\d$\LogFiles\warcraft-9.[0-9].[0-9][0-9]\logs\*]



Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎07-15-2025 09:24 PM

@Cheng2Ready 

You can use wildcard for future versions of 9 with the below,
Eg:
[monitor://\\njros1bva0597\d$\LogFiles\warcraft-9.*\logs\*]
disabled = false
host = NJROS1BVA0621
alwaysOpenFile = 1
sourcetype = Image Importer Logs

But i'm just curious that you have alwaysOpenFile = 1, I hope you have valid reason for the same.
Just FYI - Enabling this option increases resource consumption and can slow down indexing.
#https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎07-15-2025 11:19 PM

Hi @Cheng2Ready 

You can use a * for any value in the current directory/segment or ... to recursively wildcard. Therefore you can do the following:

[monitor://\\njros1bva0597\d$\LogFiles\warcraft-9.*\logs\*]
disabled = false
host = NJROS1BVA0621
alwaysOpenFile = 1
sourcetype = Image Importer Logs

Check out https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards for more info on this and https://community.splunk.com/t5/Getting-Data-In/What-is-the-proper-use-of-wildcard-in-a-file-monitor... for other good examples.

Is there any particular reason you're using alwaysOpenFile=1? This is only useful for files that do not update modification time or size and adds resource overhead, so wanted to check.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

Cheng2Ready
Communicator
‎07-16-2025 12:46 PM

@livehybrid 
Just confirming Will it capture

warcraft-9.0.78\logs\*
0 Karma
Reply
Solved! Jump to solution

Cheng2Ready
Communicator
‎07-16-2025 12:42 PM

Thank you @livehybrid 

I see yeah I just copied someone else post for their input.conf example

https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-with-wildcards/m-p/59916

but my main focus was the Monitor line

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎07-15-2025 09:24 PM

@Cheng2Ready 

You can use wildcard for future versions of 9 with the below,
Eg:
[monitor://\\njros1bva0597\d$\LogFiles\warcraft-9.*\logs\*]
disabled = false
host = NJROS1BVA0621
alwaysOpenFile = 1
sourcetype = Image Importer Logs

But i'm just curious that you have alwaysOpenFile = 1, I hope you have valid reason for the same.
Just FYI - Enabling this option increases resource consumption and can slow down indexing.
#https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

Cheng2Ready
Communicator
‎07-16-2025 12:46 PM

@PrewinThomas 

Just confirming Will it capture

warcraft-9.0.78\logs\*
0 Karma
Reply
Solved! Jump to solution

Cheng2Ready
Communicator
‎07-16-2025 12:41 PM

Thank you @PrewinThomas 

I see yeah I just copied somonelses post for thier input.conf example

https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-with-wildcards/m-p/59916

but my main focus was the Monitor line


0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...