Getting Data In

Monitoring files within the C:\Program Files (x86) directory tree

Communicator

Hi all, I've got the 4.1.5 Light Forwarder (64 bit) installed on a Windows 2008 (64 bit) server. I only have one directory structure and group of logs I'm trying to monitor with the following entry:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3\*\*name*.txt]
disabled = 0

When I start up the forwarding software I do see the TCP connection between this server and my indexing system. But no data is being sent across. I've taken the log files from the above tree and placed them on C:\, adjusted my inputs.conf on the system and was able to read the data. Moving the test log file to a made up directory named C:\logs also worked. I copied the test log file to C:\Program Files and modified my inputs.conf and was able to read in the log file. But when I copied the test file to C:\Program Files (x86) and modified the inputs.conf accordingly I could not read the file.

Is there something with a special character like "(" or ")" that is confusing Splunk?

Steve

Tags (1)
1 Solution

Influencer

Probably the wildcards don't work. Try to configure it this way:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3]
disabled = 0
whitelist = .*name.*\.txt

to monitor at upper directory level and include only files that match the whiltelist regular expression.

View solution in original post

Motivator

Please accept the answer that helped you out, so this question can be closed out. Thanks

0 Karma

Influencer

Probably the wildcards don't work. Try to configure it this way:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3]
disabled = 0
whitelist = .*name.*\.txt

to monitor at upper directory level and include only files that match the whiltelist regular expression.

View solution in original post

Communicator

I added the whitelist and it looks like things are now working. Thanks for the answer Ziegfried!

0 Karma

Motivator

You probably need to escape the parentheses like so:

[monitor://c:\program files \(x86\)\directory 1\directory 2\directory 3\*\*name*.txt]
disabled = 0

Also, be aware that you can use the splunk list monitor command to list all files that are being monitored by Splunk.

0 Karma

Communicator

Also, in checking the splunk list monitor output I see the directory trees that would have the appropriate files, but do not see the file names at the end of each line. For instance I'll see this listed, but no file name after.

C:\Program Files (x86)\directory1\directory2\20101021

All the default Splunk monitors ($SPLUNK_HOME\var\log\splunk\splunkd.log) all show correctly.

0 Karma

Communicator

I've also tried to put double quotes around "Program Files (x86)" but that still didn't work.

0 Karma

Communicator

I've already escaping the parentheses but that didn't work. Looking through the logs I do see that Splunk does say it's monitoring the directory/files - but nothing seems to come across the TCP connection.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!