Solved: Issues with wildcard input stanza

wilcomply13 · ‎05-03-2021

I've been having issues with wildcarded input monitoring. In an attempt to adjust for an issue with file path naming across a number of servers.

My original/working stanza. Disregard ellipses, I've shortened the path for this posting:

- [monitor://D:\Program Files\Microsoft\...\MessageTracking]

My adjusted/wildcarded stanzas that have not worked for input on any of our. Disregard ellipses, I've shortened the path for this posting to increase readability:

- [monitor://D:\*\Microsoft\...\MessageTracking]

- [monitor://D:\Prog*am Files\Microsoft\...\MessageTracking]

- [monitor://D:\*Files\Microsoft\...\MessageTracking]

I don't appear to receive an error message after this change, but logs completely drop off when wildcard is put into the deployed configuration.

wilcomply13 · ‎05-10-2021

Unfortunately, I've no direct access to the endpoint. I've resolved the issue by putting in a secondary input stanza to account for the file path difference.

View solution in original post

wilcomply13 · ‎05-10-2021

Unfortunately, I've no direct access to the endpoint. I've resolved the issue by putting in a secondary input stanza to account for the file path difference.

s2_splunk · ‎05-03-2021

Can you run

$SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus

to check if it provides any hints as to why your wildcards don't match? Many moons ago, spaces in wild-carded directories on Windows caused issues, but those should be fixed by now. I don't really see anything wrong with your config.

Issues with wildcard input stanza

inputs.conf

monitor

universal forwarder

Windows

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes