Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Matching Windows path in props.conf

matthewjohnson
Explorer
‎01-25-2016 03:24 PM

I'm trying to set up the Splunk for A10 Networks app.

It expects syslog data on UDP port 514.

My data is collected by NXLog, spit out into a file, and then consumed by Splunk.

As such, I'm trying to edit a props.conf stanza in the app's directory from it's default, [source::udp:514] to match my file path.

Example path:

D:\syslog\a10networks&adc_a10networks\[device name]\[file name].syslog.

How would I construct my source stanza?

I've tried many variations along the lines of, [source::D:\\...\\a10networks&adc_a10networks\\....syslog] (I have tried escaping the ampersand in my path). I'm running Splunk on Windows if it matters.

0 Karma
Reply

lguinn2
Legend
‎01-25-2016 04:24 PM

I think that this is what you need in props.conf if there is only one layer of directories represented by [device name]

[source::D:\syslog\a10networks&adc_a10networks\*\*.syslog]

This will work if the directory structure is more complicated

[source::D:\syslog\a10networks&adc_a10networks\...\*.syslog]
Reply

matthewjohnson
Explorer
‎01-26-2016 02:44 PM

I tried your example, with and without escaped backslashes, and still couldn't get it to work. I'm wondering if it isn't related to the '&' in the path. In the end, I assigned a source type (a10) via Splunk file & folder monitoring, and replaced my [source::...] stanza with [a10]. Now everything is working.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎01-25-2016 04:52 PM

How about the & in the path name, does this work? I can remember a bug which did not like $ in path names.

Reply

MuS
SplunkTrust
SplunkTrust
‎01-25-2016 04:23 PM

Hi matthewjohnson,

you can use something like this in your inputs.conf :

 [monitor://D:\syslog\...\*.syslog]

which will recurses through the directories in side of syslog.

Hope this helps ...

cheers, MuS

Reply

matthewjohnson
Explorer
‎01-26-2016 02:46 PM

Thanks for the input. @lguinn is correct, I'm editing an app and am working with props.conf

0 Karma
Reply

lguinn2
Legend
‎01-25-2016 04:27 PM

Yes, this is good for inputs.conf, but I think he may be editing an app, in which case he probably needs to edit props.conf as well...

That's a little different.

PS. I corrected the typo in your monitor stanza (missing ])

Reply

MuS
SplunkTrust
SplunkTrust
‎01-25-2016 04:51 PM

HeHe, twice good spotting @lguinn

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...