Re: Inputs.conf Not Picking Up What I expect

daniel333 · ‎11-19-2013

I am trying to pull in a several log files that are always being updated from a folder on Windows. Here is my inputs.conf

[monitor://C:\Siebel\sba81\siebsrvr\BIN\*.log]
index=siebel
sourcetype=siebel_scg_logs

But the results in splunk only show one file ignoring all the other ones. Any idea why Splunk is not gathering the other log files in the directory? Did I miss something in the stanza I needed?

pradeepkumarg · ‎11-21-2013

" * " doesn't work as expected in windows

This should work

[monitor://C:\Siebel\sba81\siebsrvr\BIN\]
index=siebel
sourcetype=siebel_scg_logs
whitelist=\.log$

lukejadamec · ‎11-21-2013

That is not exactly true, you just need to 'know' what to expect. If you want to get dizzy you can read the rules:

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Specifyinputpathswithwildcards

My guess is that splunk is treating \* as regex not a * wildcard. Regardless, I believe the example in the doc says that \* does not work in Windows; you should expect it to fail.

Ayn · ‎11-19-2013

This script will help you in determining what status Splunk has for your monitor inputs: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

lukejadamec · ‎11-19-2013

You should post your monitor string as code (select the 101010 format option at the top).
Escape characters are important in a monitor string.

somesoni2 · ‎11-19-2013

Would it be possible for you to tell the filenames present in the folder?

Inputs.conf Not Picking Up What I expect

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann