I have a series of files I'm monitoring on windows servers that have to have wildcards in the monitor path.
C:\Program Files (x86)\folder\04-29-2013\foo.xml
C:\Program Files (x86)\folder\04-29-2013\bar.xml
The date part of the path changes each day. Foo and Bar are different source types. So I have a monitor stanzas like so:
[monitor://C:\Program Files (x86)\folder\*\foo.xml]
[monitor://C:\Program Files (x86)\folder\*\bar.xml]
This seems like it should work fine, but I'm not getting any of the files indexed.
Further digging using using fileMonitor.py showed me the following errors:
Did not match partial whitelist '^c:\\Program Files (x86)\\folder\\[^\\]*\\foo\.xml$'
It appears that when the monitor stanza is expanded to a regex for whitelisting purposes, the parens aren't being escaped properly. It should be:
^c:\\Program Files \(x86\)\\folder\\[^\\]*\\foo\.xml$'
Not sure how I can work around this. If I wildcard the 'Program Files' folder, that means Splunk will try to match every file in C:\ with the generated whitelist, which isn't going to work.
Terrible hack/workaround, but the old "short name" should work, like C:\PROGRA~2. Maybe someone can come up with something less vomit inducing.
View solution in original post
Terrible yet effective!
I've put in a ticket about the issue, as I think it should be properly escaping the parens in the path. But in the meantime, this gets the job done.