Getting Data In

Monitor Stanza's with Wildcards

tedcvent
Explorer

I'm trying to monitor log-types of two different formats within the same directory on the same host. I'm trying a variety of configurations, but nothing seems to work. I've had cases where I have one log in the midst of garbage in a directory, and utilizing whitelist parameter works fine. But this is a bit different. Below is an example of the inputs.conf stanza I've used. We're pulling via a Windows UF, with a domain admin account. We've got this agent pulling tons of logs in a similar way across 50 other boxes. The index exists, the sourcetype works as we've used similar props.conf configuration previously. Any ideas as to why the below is not picking up the right logs?

[monitor://\\server\D$\Logs\eCommerce\Api*.log]
whitelist = Api*.log
sourcetype = ecommerce_api
ignoreOlderThan = 7d
host = server
index=region
[monitor://\\server\Logs\eCommerce\Consumer*.log]
whitelist =Consumer*.log
sourcetype = ecommerce_consumer
ignoreOlderThan = 7d
host = server
index=region

Thanks,

Ted

0 Karma

Dev999
Communicator

the UNC share is supported, but you need two backslashes to start:

monitor://\\server\D$\Logs\eCommerce\Api*.log

whitelist needs to be regex, while monitor line you use file system style.

0 Karma

tedcvent
Explorer

That's just a parsing issue on this site that I didn't fix. It's correct in the actual inputs.conf. Still doesn't ever pick it up. I'm just scrapping this and finding a different solution. Thanks though.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Two thoughts... first, the second log doesn't have that D$ in the path, but you said they're in the same directory?
Second and more importantly, I believe the whitelist parameter takes regular expressions, so you might need Api.*\.log and Consumer.*\.log instead. See http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Whitelistorblacklistspecificincomingdata for reference.

I don't think you need the whitelist keys at all though - your monitor stanza path already covers those restrictions.

0 Karma

tedcvent
Explorer

Yeah sadly, no luck. I'm wondering if it's not a bug/unsupported feature in Windows when trying to do this across a UNC share.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you're not getting anything without the whitelist keys then adding any will only reduce your matching files, ie remain at nothing.

Take a poke around the _internal logs for that forwarder if anything weird pops up, and look at its tailing processor using this: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

tedcvent
Explorer

Thanks, I'll give it a try. And the missing D$ is purely a copy/paste fail! I tried with and without the whitelist, but neither were picking up the logs. It's pretty odd. I use the same sourcetype and general configuration in other places (sans the multiple sourcetypes in one path) without issue.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...