Getting Data In

## Inputs.conf - wildcard monitor stanzas on Windows

Motivator

I have a series of files I'm monitoring on windows servers that have to have wildcards in the monitor path.

C:\Program Files (x86)\folder\04-29-2013\foo.xml
C:\Program Files (x86)\folder\04-29-2013\bar.xml


The date part of the path changes each day. Foo and Bar are different source types. So I have a monitor stanzas like so:

[monitor://C:\Program Files (x86)\folder\*\foo.xml]
[monitor://C:\Program Files (x86)\folder\*\bar.xml]


This seems like it should work fine, but I'm not getting any of the files indexed.

Further digging using using fileMonitor.py showed me the following errors:

Did not match partial whitelist '^c:\\Program Files (x86)\\folder\$^\$*\\foo\.xml$'  It appears that when the monitor stanza is expanded to a regex for whitelisting purposes, the parens aren't being escaped properly. It should be: ^c:\\Program Files $$x86$$\\folder\$^\$*\\foo\.xml$'


Not sure how I can work around this. If I wildcard the 'Program Files' folder, that means Splunk will try to match every file in C:\ with the generated whitelist, which isn't going to work.

Any ideas?

Tags (1)
1 Solution
SplunkTrust

Terrible hack/workaround, but the old "short name" should work, like C:\PROGRA~2. Maybe someone can come up with something less vomit inducing.

SplunkTrust

Terrible hack/workaround, but the old "short name" should work, like C:\PROGRA~2. Maybe someone can come up with something less vomit inducing.

Motivator

Terrible yet effective!

I've put in a ticket about the issue, as I think it should be properly escaping the parens in the path. But in the meantime, this gets the job done.

.conf21 CFS Extended through 5/20!

### Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Get Updates on the Splunk Community!