Getting Data In

Inputs.conf and special characters

Splunk Employee
Splunk Employee

I have an inputs.conf file that had a monitor statement like:

[monitor:///*_ECM/A/doc/abc.log]

Files are NOT being picked up. If I get rid of the * and put a file name like:

[monitor:///DOC_ECM/A/doc/abc.log]

it works fine.

How do I escape out the "_" or use a Regex to get the correct filenames?

Tags (1)
0 Karma

Legend

This seems like a bug, based on what you have described here. I would file a support ticket.

But I think there may also be a work-around.

First, for the stanza, do either of these work?

[monitor:///*ECM/A/doc/abc.log]

[monitor:///*/A/doc/abc.log]

If you can make it work for a wider selection of directories (I know that isn't optimal), then you can restrict using the whitelist:

[monitor:///*ECM/A/doc/abc.log]
whitelist=^/.*?_ECM/

This whitelist should work for either of the stanzas above. Whitelists are regular expressions, stanzas are not.

Legend

Thanks - let us know how it works out!

0 Karma

Splunk Employee
Splunk Employee

Submitted a ticket to support.

Tried your suggestions above and it did NOT work.

Even looking in the logs I see where Splunk is reading the values from inputs.conf but no files get picked up and show up in WatchedFile.

0 Karma

Splunk Employee
Splunk Employee

Linux, not Windows.

0 Karma

Super Champion

Is this windows? If so, you cannot use wildcards at the root.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!