Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Make Splunk Look For Logs Inside Folders

luteixeira
Explorer
‎11-11-2020 10:31 AM

Hello all! 🙂 

I'm currently implementing Splunk inside one of our company systems. It happens so that the logging structure works like this:

C:\Systems\System\Logs\A_Lot_Of_Folders\2020(year)\11(month)\day.txt

Since I have a lot of folders inside the Logs structure, I configured my stanza like this:

[monitor://C:\Systems\System\Logs\*]
index = MyIndex
disabled = 0
_TCP_ROUTING = my_config

I have also tried:

[monitor://C:\Systems\System\Logs]
index = MyIndex
disabled = 0
_TCP_ROUTING = my_config

But my Universal Forwarder won't look up inside the folders that I have inside the Logs directory.

Question 1: Is there a way to config a "global stanza setting" so the Universal Forwarder will look for every new event inside all of the folders or I will have to work with the hard way, configuring each and every folder with a new monitor stanza?

Question 2: Is there a way to automate whenever we turn to the next month or next year so I won't have to go back and configure all the stanzas with the current year/month that we are?

In terms of troubleshooting, I've already restarted the service and I have connectivity with the Splunk destination.

Thank you in advance!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 11:10 AM

Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.  Try these settings.

[monitor://C:\Systems\System\Logs\...\*.txt]
index = MyIndex
disabled = 0
recursive = true
_TCP_ROUTING = my_config
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 11:10 AM

Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.  Try these settings.

[monitor://C:\Systems\System\Logs\...\*.txt]
index = MyIndex
disabled = 0
recursive = true
_TCP_ROUTING = my_config
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

luteixeira
Explorer
‎11-11-2020 12:31 PM

Hello, Rich!

Thank you for your reply. Just upvoted your comment since the recursive attribute resolved both of my problems.

You're awesome!

Thank you again

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...