Getting Data In

Monitoring files within the C:\Program Files (x86) directory tree

castle1126
Communicator

Hi all, I've got the 4.1.5 Light Forwarder (64 bit) installed on a Windows 2008 (64 bit) server. I only have one directory structure and group of logs I'm trying to monitor with the following entry:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3\*\*name*.txt]
disabled = 0

When I start up the forwarding software I do see the TCP connection between this server and my indexing system. But no data is being sent across. I've taken the log files from the above tree and placed them on C:\, adjusted my inputs.conf on the system and was able to read the data. Moving the test log file to a made up directory named C:\logs also worked. I copied the test log file to C:\Program Files and modified my inputs.conf and was able to read in the log file. But when I copied the test file to C:\Program Files (x86) and modified the inputs.conf accordingly I could not read the file.

Is there something with a special character like "(" or ")" that is confusing Splunk?

Steve

Tags (1)
1 Solution

ziegfried
Influencer

Probably the wildcards don't work. Try to configure it this way:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3]
disabled = 0
whitelist = .*name.*\.txt

to monitor at upper directory level and include only files that match the whiltelist regular expression.

View solution in original post

ftk
Motivator

Please accept the answer that helped you out, so this question can be closed out. Thanks

0 Karma

ziegfried
Influencer

Probably the wildcards don't work. Try to configure it this way:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3]
disabled = 0
whitelist = .*name.*\.txt

to monitor at upper directory level and include only files that match the whiltelist regular expression.

castle1126
Communicator

I added the whitelist and it looks like things are now working. Thanks for the answer Ziegfried!

0 Karma

southeringtonp
Motivator

You probably need to escape the parentheses like so:

[monitor://c:\program files \(x86\)\directory 1\directory 2\directory 3\*\*name*.txt]
disabled = 0

Also, be aware that you can use the splunk list monitor command to list all files that are being monitored by Splunk.

0 Karma

castle1126
Communicator

Also, in checking the splunk list monitor output I see the directory trees that would have the appropriate files, but do not see the file names at the end of each line. For instance I'll see this listed, but no file name after.

C:\Program Files (x86)\directory1\directory2\20101021

All the default Splunk monitors ($SPLUNK_HOME\var\log\splunk\splunkd.log) all show correctly.

0 Karma

castle1126
Communicator

I've also tried to put double quotes around "Program Files (x86)" but that still didn't work.

0 Karma

castle1126
Communicator

I've already escaping the parentheses but that didn't work. Looking through the logs I do see that Splunk does say it's monitoring the directory/files - but nothing seems to come across the TCP connection.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...