Getting Data In

Make Splunk Look For Logs Inside Folders

luteixeira
Explorer

Hello all! 🙂 

I'm currently implementing Splunk inside one of our company systems. It happens so that the logging structure works like this:

C:\Systems\System\Logs\A_Lot_Of_Folders\2020(year)\11(month)\day.txt

Since I have a lot of folders inside the Logs structure, I configured my stanza like this:

[monitor://C:\Systems\System\Logs\*]
index = MyIndex
disabled = 0
_TCP_ROUTING = my_config

I have also tried:

[monitor://C:\Systems\System\Logs]
index = MyIndex
disabled = 0
_TCP_ROUTING = my_config

But my Universal Forwarder won't look up inside the folders that I have inside the Logs directory.

Question 1: Is there a way to config a "global stanza setting" so the Universal Forwarder will look for every new event inside all of the folders or I will have to work with the hard way, configuring each and every folder with a new monitor stanza?

Question 2: Is there a way to automate whenever we turn to the next month or next year so I won't have to go back and configure all the stanzas with the current year/month that we are?

In terms of troubleshooting, I've already restarted the service and I have connectivity with the Splunk destination.

Thank you in advance!

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.  Try these settings.

[monitor://C:\Systems\System\Logs\...\*.txt]
index = MyIndex
disabled = 0
recursive = true
_TCP_ROUTING = my_config
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.  Try these settings.

[monitor://C:\Systems\System\Logs\...\*.txt]
index = MyIndex
disabled = 0
recursive = true
_TCP_ROUTING = my_config
---
If this reply helps you, Karma would be appreciated.

luteixeira
Explorer

Hello, Rich!

Thank you for your reply. Just upvoted your comment since the recursive attribute resolved both of my problems.

You're awesome!

Thank you again

0 Karma
Get Updates on the Splunk Community!

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...