Getting Data In
Highlighted

What is the proper syntax for my forwarder inputs.conf stanza to monitor specific files based on a string in the filename?

New Member

Hi

I am trying to monitor specific files from one directory based on a string in the filename.

Example files:

C:\testapp\logs\02-05-2014 Logins.log
C:\testapp\logs\04-06-2014 Audits.log

There will be daily login and audit files, however, I only want to monitor the files with logins. Everything I have tried so far either forward nothing or all files! Any help much appreciated.

Last thing I tried was:

[monitor://C:\testapp\logs\[0-9-]+\sSvcLogins.log]

Thanks

0 Karma
Highlighted

Re: What is the proper syntax for my forwarder inputs.conf stanza to monitor specific files based on a string in the filename?

Splunk Employee
Splunk Employee

Have you tried just the basic :

[monitor://C:\testapp\logs\*Logins.log]

In your case, this should work.

For reference:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Specifyinputpathswithwildcards

View solution in original post

Highlighted

Re: What is the proper syntax for my forwarder inputs.conf stanza to monitor specific files based on a string in the filename?

Splunk Employee
Splunk Employee

Were you able to try this out?

0 Karma
Highlighted

Re: What is the proper syntax for my forwarder inputs.conf stanza to monitor specific files based on a string in the filename?

New Member

Hi

Yes, and I was sure I had previously tried something very similar!! but that worked

Thanks for your help

0 Karma