Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the proper use of (*) wildcard in a file monitor path?

Log_wrangler
Builder
‎04-17-2018 02:18 PM

So I am confused about how to write a wildcard path for the following.

I have a UF set up to monitor a file location.

For example [.. /opt/App1/App1-1234/logs ] contains some ( .log and .log.gz ) files I want to send to the indexers.

I tested with absolute path /opt/App1/App1-1234/App1-app.log and the logs rolled into Splunk just fine
Next I tried /opt/App1/App1*/logs < but that does not work.

What is the correct way to write this ? /opt/App1/App1*/logs/* ???

Please advise.

Thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎04-17-2018 03:22 PM

It looks like you have an extra directory specified based on the original text.

/opt/App1/App1-1234/App1-app.log
/opt/App1/App1*/logs
/opt/App1/App1*/logs/*

This will work for files without the extra "logs" directory.

[monitor:///opt/App1/App1*/*]

But, if you need to recurse directories, you will have to use this:

[monitor:///opt/App1/.../logs/*]

Reference -> https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎04-17-2018 03:22 PM

It looks like you have an extra directory specified based on the original text.

/opt/App1/App1-1234/App1-app.log
/opt/App1/App1*/logs
/opt/App1/App1*/logs/*

This will work for files without the extra "logs" directory.

[monitor:///opt/App1/App1*/*]

But, if you need to recurse directories, you will have to use this:

[monitor:///opt/App1/.../logs/*]

Reference -> https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎04-18-2018 06:18 PM

my bad, mistyped...

/opt/App1/App1-1234/logs/App1-app.log

thank you for confirming that /opt/App1/App1*/logs/* is a correct way to wildcard

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!