Getting Data In

Whitespace before closing bracket: An Issue?

morethanyell
Builder

My Fowarder App is 1.) Deployed 2.) Reloaded 3.) Phoned-in...but still no logs coming in. Here's the inputs.conf just deployed few minutes ago:

[monitor:///Some/Directory/*.logs ]
index = some_index
sourcetype = some_sourcetype
blacklist = .(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$

Is the whitespace after ..logs and before the ] our culprit? Needed confirmation.

Thanks in advance.

p.s. To those who would advice "why not just remove it and then see what happens". Yes, we will do it but our dev-ops process will not be able to pull the code into master until Monday and deploy until Tuesday next week. Thank you for understanding.

p.p.s. the directory has logs in it

0 Karma
1 Solution

morethanyell
Builder

Update: It was fixed by removing the space.

View solution in original post

markusspitzli
Communicator

Whitespaces do matter in the inputstanza. According to the documentation I would assume that any character between monitor:// and ]is considered as <path>

[monitor://<path>]
* <path> can be an entire directory or a single file.
0 Karma

morethanyell
Builder

Update: It was fixed by removing the space.

woodcock
Esteemed Legend

Wow. Crazy.

0 Karma

woodcock
Esteemed Legend

It should not be a problem (but I'd fix it anyway).

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi morethanyell,

two things I can think of:

  1. changes on inputs.conf most likely require a restart
  2. your p.s. solution is probably the solution anyway 😉

cheers, MuS

morethanyell
Builder

We've restarted already, still the same. Anyways, Thanks @MuS

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...