Solved: What is the proper syntax for my forwarder inputs....

andrefriedmann · ‎09-16-2015

Hi

I am trying to monitor specific files from one directory based on a string in the filename.

Example files:

C:\testapp\logs\02-05-2014 Logins.log
C:\testapp\logs\04-06-2014 Audits.log

There will be daily login and audit files, however, I only want to monitor the files with logins. Everything I have tried so far either forward nothing or all files! Any help much appreciated.

Last thing I tried was:

[monitor://C:\testapp\logs\[0-9-]+\sSvcLogins.log]

Thanks

tlelle_splunk · ‎09-16-2015

Have you tried just the basic :

[monitor://C:\testapp\logs\*Logins.log]

In your case, this should work.

For reference:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Specifyinputpathswithwildcards

View solution in original post

tlelle_splunk · ‎09-16-2015

Have you tried just the basic :

[monitor://C:\testapp\logs\*Logins.log]

In your case, this should work.

For reference:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Specifyinputpathswithwildcards

andrefriedmann · ‎09-17-2015

Hi

Yes, and I was sure I had previously tried something very similar!! but that worked

Thanks for your help

tlelle_splunk · ‎09-17-2015

Were you able to try this out?

What is the proper syntax for my forwarder inputs.conf stanza to monitor specific files based on a string in the filename?

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Are you a member of the Splunk Community?

What is the proper syntax for my forwarder inputs.conf stanza to monitor specific files based on a string in the filename?

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1