Getting Data In

Input stanza path is not absolute.

Path Finder

How do I wildcard any windows drive letter in the inputs.conf stanza below?

inputs.conf

[monitor://[A-Z]:\Data\Disk1\*\MSSQL\Log\ERRORLOG*]
sourcetype = mssql:errorlog

Causes the below error...

07-16-2015 10:53:57.601 -0400 WARN  TailingProcessor - Input stanza path, '[A-Z]:\\Data\\Disk1\\*\\MSSQL\\Log\\ERRORLOG*' is not absolute.  This is a configuration error and may not work / break things.  Change this path to an absolute path.
Tags (2)
0 Karma

Motivator

So this gets into how Splunk actually identifies what it needs to monitor. Take a more traditional monitor stanza like:

[monitor://C:\Data\Disk1\*\MSSQL\Log\ERRORLOG*]

When splunk sees the above, it goes to the deepest full path given C:\Data\Disk1\ and turns the rest of the stanza name into a regex-based whitelist which is checked against all children of the given path.

When your monitor stanza starts with a wildcard, it has no base path to enumerate in the first place. (Windows doesn't have an equivalent to /) Even if it did, this is a bad idea as Splunk will need to enumerate every single file on a system to see if it is a regex match of the desired path.

SplunkTrust
SplunkTrust

To add an actual solution, just put up to 26 stanzas in your inputs.conf.

Motivator

Yes, apologies I thought this was implied in my answer.

SplunkTrust
SplunkTrust

It was, no worries.

0 Karma