Solved: What is the proper use of (*) wildcard in a file m...

Log_wrangler · ‎04-17-2018

So I am confused about how to write a wildcard path for the following.

I have a UF set up to monitor a file location.

For example [.. /opt/App1/App1-1234/logs ] contains some ( .log and .log.gz ) files I want to send to the indexers.

I tested with absolute path /opt/App1/App1-1234/App1-app.log and the logs rolled into Splunk just fine
Next I tried /opt/App1/App1*/logs < but that does not work.

What is the correct way to write this ? /opt/App1/App1*/logs/* ???

Please advise.

Thank you

jconger · ‎04-17-2018

It looks like you have an extra directory specified based on the original text.

/opt/App1/App1-1234/App1-app.log
/opt/App1/App1*/logs
/opt/App1/App1*/logs/*

This will work for files without the extra "logs" directory.

[monitor:///opt/App1/App1*/*]

But, if you need to recurse directories, you will have to use this:

[monitor:///opt/App1/.../logs/*]

Reference -> https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

View solution in original post

jconger · ‎04-17-2018

It looks like you have an extra directory specified based on the original text.

/opt/App1/App1-1234/App1-app.log
/opt/App1/App1*/logs
/opt/App1/App1*/logs/*

This will work for files without the extra "logs" directory.

[monitor:///opt/App1/App1*/*]

But, if you need to recurse directories, you will have to use this:

[monitor:///opt/App1/.../logs/*]

Reference -> https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

Log_wrangler · ‎04-18-2018

my bad, mistyped...

/opt/App1/App1-1234/logs/App1-app.log

thank you for confirming that /opt/App1/App1*/logs/* is a correct way to wildcard

What is the proper use of (*) wildcard in a file monitor path?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...