Getting Data In

Make Splunk Look For Logs Inside Folders

luteixeira
Explorer

Hello all! 🙂 

I'm currently implementing Splunk inside one of our company systems. It happens so that the logging structure works like this:

C:\Systems\System\Logs\A_Lot_Of_Folders\2020(year)\11(month)\day.txt

Since I have a lot of folders inside the Logs structure, I configured my stanza like this:

[monitor://C:\Systems\System\Logs\*]
index = MyIndex
disabled = 0
_TCP_ROUTING = my_config

I have also tried:

[monitor://C:\Systems\System\Logs]
index = MyIndex
disabled = 0
_TCP_ROUTING = my_config

But my Universal Forwarder won't look up inside the folders that I have inside the Logs directory.

Question 1: Is there a way to config a "global stanza setting" so the Universal Forwarder will look for every new event inside all of the folders or I will have to work with the hard way, configuring each and every folder with a new monitor stanza?

Question 2: Is there a way to automate whenever we turn to the next month or next year so I won't have to go back and configure all the stanzas with the current year/month that we are?

In terms of troubleshooting, I've already restarted the service and I have connectivity with the Splunk destination.

Thank you in advance!

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.  Try these settings.

[monitor://C:\Systems\System\Logs\...\*.txt]
index = MyIndex
disabled = 0
recursive = true
_TCP_ROUTING = my_config
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.  Try these settings.

[monitor://C:\Systems\System\Logs\...\*.txt]
index = MyIndex
disabled = 0
recursive = true
_TCP_ROUTING = my_config
---
If this reply helps you, Karma would be appreciated.

luteixeira
Explorer

Hello, Rich!

Thank you for your reply. Just upvoted your comment since the recursive attribute resolved both of my problems.

You're awesome!

Thank you again

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...