Getting Data In

Inputs.conf - wildcard monitor stanzas on Windows

emiller42
Motivator

I have a series of files I'm monitoring on windows servers that have to have wildcards in the monitor path.

C:\Program Files (x86)\folder\04-29-2013\foo.xml
C:\Program Files (x86)\folder\04-29-2013\bar.xml

The date part of the path changes each day. Foo and Bar are different source types. So I have a monitor stanzas like so:

[monitor://C:\Program Files (x86)\folder\*\foo.xml]
[monitor://C:\Program Files (x86)\folder\*\bar.xml]

This seems like it should work fine, but I'm not getting any of the files indexed.

Further digging using using fileMonitor.py showed me the following errors:

Did not match partial whitelist '^c:\\Program Files (x86)\\folder\\[^\\]*\\foo\.xml$'

It appears that when the monitor stanza is expanded to a regex for whitelisting purposes, the parens aren't being escaped properly. It should be:

^c:\\Program Files \(x86\)\\folder\\[^\\]*\\foo\.xml$'

Not sure how I can work around this. If I wildcard the 'Program Files' folder, that means Splunk will try to match every file in C:\ with the generated whitelist, which isn't going to work.

Any ideas?

Tags (1)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

Terrible hack/workaround, but the old "short name" should work, like C:\PROGRA~2. Maybe someone can come up with something less vomit inducing.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

Terrible hack/workaround, but the old "short name" should work, like C:\PROGRA~2. Maybe someone can come up with something less vomit inducing.

View solution in original post

emiller42
Motivator

Terrible yet effective!

I've put in a ticket about the issue, as I think it should be properly escaping the parens in the path. But in the meantime, this gets the job done.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!