Getting Data In
Highlighted

Monitor Stanza's with Wildcards

Explorer

I'm trying to monitor log-types of two different formats within the same directory on the same host. I'm trying a variety of configurations, but nothing seems to work. I've had cases where I have one log in the midst of garbage in a directory, and utilizing whitelist parameter works fine. But this is a bit different. Below is an example of the inputs.conf stanza I've used. We're pulling via a Windows UF, with a domain admin account. We've got this agent pulling tons of logs in a similar way across 50 other boxes. The index exists, the sourcetype works as we've used similar props.conf configuration previously. Any ideas as to why the below is not picking up the right logs?

[monitor://\\server\D$\Logs\eCommerce\Api*.log]
whitelist = Api*.log
sourcetype = ecommerceapi
ignoreOlderThan = 7d
host = server
index=region
[monitor://\\server\Logs\eCommerce\Consumer*.log]
whitelist =Consumer*.log
sourcetype = ecommerce
consumer
ignoreOlderThan = 7d
host = server
index=region

Thanks,

Ted

0 Karma
Highlighted

Re: Monitor Stanza's with Wildcards

SplunkTrust
SplunkTrust

Two thoughts... first, the second log doesn't have that D$ in the path, but you said they're in the same directory?
Second and more importantly, I believe the whitelist parameter takes regular expressions, so you might need Api.*\.log and Consumer.*\.log instead. See http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Whitelistorblacklistspecificincomingdata for reference.

I don't think you need the whitelist keys at all though - your monitor stanza path already covers those restrictions.

0 Karma
Highlighted

Re: Monitor Stanza's with Wildcards

Explorer

Thanks, I'll give it a try. And the missing D$ is purely a copy/paste fail! I tried with and without the whitelist, but neither were picking up the logs. It's pretty odd. I use the same sourcetype and general configuration in other places (sans the multiple sourcetypes in one path) without issue.

0 Karma
Highlighted

Re: Monitor Stanza's with Wildcards

SplunkTrust
SplunkTrust

If you're not getting anything without the whitelist keys then adding any will only reduce your matching files, ie remain at nothing.

Take a poke around the _internal logs for that forwarder if anything weird pops up, and look at its tailing processor using this: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

Highlighted

Re: Monitor Stanza's with Wildcards

Explorer

Yeah sadly, no luck. I'm wondering if it's not a bug/unsupported feature in Windows when trying to do this across a UNC share.

0 Karma
Highlighted

Re: Monitor Stanza's with Wildcards

Path Finder

the UNC share is supported, but you need two backslashes to start:

monitor://\\server\D$\Logs\eCommerce\Api*.log

whitelist needs to be regex, while monitor line you use file system style.

0 Karma
Highlighted

Re: Monitor Stanza's with Wildcards

Explorer

That's just a parsing issue on this site that I didn't fix. It's correct in the actual inputs.conf. Still doesn't ever pick it up. I'm just scrapping this and finding a different solution. Thanks though.

0 Karma