How do I wildcard any windows drive letter in the inputs.conf stanza below?
[monitor://[A-Z]:\Data\Disk1\*\MSSQL\Log\ERRORLOG*] sourcetype = mssql:errorlog
Causes the below error...
07-16-2015 10:53:57.601 -0400 WARN TailingProcessor - Input stanza path, '[A-Z]:\\Data\\Disk1\\*\\MSSQL\\Log\\ERRORLOG*' is not absolute. This is a configuration error and may not work / break things. Change this path to an absolute path.
So this gets into how Splunk actually identifies what it needs to monitor. Take a more traditional monitor stanza like:
When splunk sees the above, it goes to the deepest full path given
C:\Data\Disk1\ and turns the rest of the stanza name into a regex-based whitelist which is checked against all children of the given path.
When your monitor stanza starts with a wildcard, it has no base path to enumerate in the first place. (Windows doesn't have an equivalent to
/) Even if it did, this is a bad idea as Splunk will need to enumerate every single file on a system to see if it is a regex match of the desired path.