Input stanza path is not absolute.

archspangler · ‎07-16-2015

How do I wildcard any windows drive letter in the inputs.conf stanza below?

inputs.conf

[monitor://[A-Z]:\Data\Disk1\*\MSSQL\Log\ERRORLOG*]
sourcetype = mssql:errorlog

Causes the below error...

07-16-2015 10:53:57.601 -0400 WARN  TailingProcessor - Input stanza path, '[A-Z]:\\Data\\Disk1\\*\\MSSQL\\Log\\ERRORLOG*' is not absolute.  This is a configuration error and may not work / break things.  Change this path to an absolute path.

emiller42 · ‎07-20-2015

So this gets into how Splunk actually identifies what it needs to monitor. Take a more traditional monitor stanza like:

[monitor://C:\Data\Disk1\*\MSSQL\Log\ERRORLOG*]

When splunk sees the above, it goes to the deepest full path given C:\Data\Disk1\ and turns the rest of the stanza name into a regex-based whitelist which is checked against all children of the given path.

When your monitor stanza starts with a wildcard, it has no base path to enumerate in the first place. (Windows doesn't have an equivalent to /) Even if it did, this is a bad idea as Splunk will need to enumerate every single file on a system to see if it is a regex match of the desired path.

martin_mueller · ‎07-20-2015

To add an actual solution, just put up to 26 stanzas in your inputs.conf.

emiller42 · ‎07-21-2015

Yes, apologies I thought this was implied in my answer.

martin_mueller · ‎07-21-2015

It was, no worries.

Input stanza path is not absolute.

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...