Solved: Issues with wildcard input stanza

wilcomply13 · ‎05-03-2021

I've been having issues with wildcarded input monitoring. In an attempt to adjust for an issue with file path naming across a number of servers.

My original/working stanza. Disregard ellipses, I've shortened the path for this posting:

- [monitor://D:\Program Files\Microsoft\...\MessageTracking]

My adjusted/wildcarded stanzas that have not worked for input on any of our. Disregard ellipses, I've shortened the path for this posting to increase readability:

- [monitor://D:\*\Microsoft\...\MessageTracking]

- [monitor://D:\Prog*am Files\Microsoft\...\MessageTracking]

- [monitor://D:\*Files\Microsoft\...\MessageTracking]

I don't appear to receive an error message after this change, but logs completely drop off when wildcard is put into the deployed configuration.

wilcomply13 · ‎05-10-2021

Unfortunately, I've no direct access to the endpoint. I've resolved the issue by putting in a secondary input stanza to account for the file path difference.

View solution in original post

wilcomply13 · ‎05-10-2021

Unfortunately, I've no direct access to the endpoint. I've resolved the issue by putting in a secondary input stanza to account for the file path difference.

s2_splunk · ‎05-03-2021

Can you run

$SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus

to check if it provides any hints as to why your wildcards don't match? Many moons ago, spaces in wild-carded directories on Windows caused issues, but those should be fixed by now. I don't really see anything wrong with your config.

Issues with wildcard input stanza

inputs.conf

monitor

universal forwarder

Windows

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases