Getting Data In

Make Splunk Look For Logs Inside Folders

luteixeira
Explorer

Hello all! 🙂 

I'm currently implementing Splunk inside one of our company systems. It happens so that the logging structure works like this:

C:\Systems\System\Logs\A_Lot_Of_Folders\2020(year)\11(month)\day.txt

Since I have a lot of folders inside the Logs structure, I configured my stanza like this:

[monitor://C:\Systems\System\Logs\*]
index = MyIndex
disabled = 0
_TCP_ROUTING = my_config

I have also tried:

[monitor://C:\Systems\System\Logs]
index = MyIndex
disabled = 0
_TCP_ROUTING = my_config

But my Universal Forwarder won't look up inside the folders that I have inside the Logs directory.

Question 1: Is there a way to config a "global stanza setting" so the Universal Forwarder will look for every new event inside all of the folders or I will have to work with the hard way, configuring each and every folder with a new monitor stanza?

Question 2: Is there a way to automate whenever we turn to the next month or next year so I won't have to go back and configure all the stanzas with the current year/month that we are?

In terms of troubleshooting, I've already restarted the service and I have connectivity with the Splunk destination.

Thank you in advance!

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.  Try these settings.

[monitor://C:\Systems\System\Logs\...\*.txt]
index = MyIndex
disabled = 0
recursive = true
_TCP_ROUTING = my_config
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.  Try these settings.

[monitor://C:\Systems\System\Logs\...\*.txt]
index = MyIndex
disabled = 0
recursive = true
_TCP_ROUTING = my_config
---
If this reply helps you, Karma would be appreciated.

luteixeira
Explorer

Hello, Rich!

Thank you for your reply. Just upvoted your comment since the recursive attribute resolved both of my problems.

You're awesome!

Thank you again

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...