Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Inputs.conf - separate monitors for sub-directories

cramasta
Builder
‎01-11-2013 12:00 PM

Seeing if you could help me understand why these settings don’t work as I am expecting them to. I have the two monitoring stanza’s in my inputs.conf
If I have just monitor 1 enabled it works fine. As soon as I enable monitor 2 it seems to override monitor 1 and causes monitor 1 not to work anymore. It seems like when I enable monitor 2 it puts into effect the recursive=false which would include the directory that I want monitor 1 to watch. I thought the monitoring stanzas operated independently of each other?

monitor 1: This should monitor all files in the DEFAULT directory but not go recursively in to other directories

[monitor://\\server1\c$\Temp\Log\DocumentCacheListener\DEFAULT]
disabled = false
followTail = 0
index = apollo
sourcetype = default
ignoreOlderThan = 1d
crcSalt = 
recursive = false

*monitor 2: * this should monitor all files in the DocumentCacheListener directory and not go recursively into other directories.

[monitor://\\server2\c$\Temp\Log\DocumentCacheListener]
disabled = 0
followTail = 0
sourcetype = listener
ignoreOlderThan = 1d
crcSalt = 
recursive = false
Tags (1)
0 Karma
Reply

elof
Path Finder
‎03-10-2014 11:07 AM

Not really an answer (since I think this is a bug), but here's how I did a workaround for a simillar scenario:
http://answers.splunk.com/answers/126064/bug-in-universal-forwarder-inputsconf-monitor-and-recursive...

0 Karma
Reply

cramasta
Builder
‎02-27-2013 08:41 AM

Here is what I had to do in order to get this to work. Involved using a inputs.conf/props.conf combination

inputs.conf

this tells splunk to monitor the directory and all subdirectories

[monitor://\\uslibintv27\c$\Temp\Log\DocumentCacheListener\]
disabled = 1
followTail = 0
host = uslibintv27
index = apollodev

props.conf

I then define my sourcetypes by creating matching source stanzas in the props.conf'

[source::...\\DocumentCacheListener\\*log]
NO_BINARY_CHECK = 1
pulldown_type = 1
sourcetype=listener`

[source::...\\DocumentCacheListener\\DEFAULT\\*log]
NO_BINARY_CHECK = 1
pulldown_type = 1
sourcetype=default
0 Karma
Reply

MSimon
Engager
‎01-15-2013 04:21 AM

I've got the same problem.

If you enable monitor 2 the property recursive = false prevents to monitor the path under monitor 1.

Check the URL 'https://:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus'

Look at the directory ...\Temp\Log\DocumentCacheListener\DEFAULT
If type is "ignored item (recursion disabled)" it's the evidence

Reply

tgow
Splunk Employee
Splunk Employee
‎01-11-2013 12:56 PM

I would recommend that you run the following command to see if there are any errors:

./splunk cmd btool inputs list --debug

0 Karma
Reply

cramasta
Builder
‎01-11-2013 01:18 PM

no noticeable errors in the output.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...