Getting Data In

Whitespace before closing bracket: An Issue?

morethanyell
Builder

My Fowarder App is 1.) Deployed 2.) Reloaded 3.) Phoned-in...but still no logs coming in. Here's the inputs.conf just deployed few minutes ago:

[monitor:///Some/Directory/*.logs ]
index = some_index
sourcetype = some_sourcetype
blacklist = .(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$

Is the whitespace after ..logs and before the ] our culprit? Needed confirmation.

Thanks in advance.

p.s. To those who would advice "why not just remove it and then see what happens". Yes, we will do it but our dev-ops process will not be able to pull the code into master until Monday and deploy until Tuesday next week. Thank you for understanding.

p.p.s. the directory has logs in it

0 Karma
1 Solution

morethanyell
Builder

Update: It was fixed by removing the space.

View solution in original post

markusspitzli
Communicator

Whitespaces do matter in the inputstanza. According to the documentation I would assume that any character between monitor:// and ]is considered as <path>

[monitor://<path>]
* <path> can be an entire directory or a single file.
0 Karma

morethanyell
Builder

Update: It was fixed by removing the space.

woodcock
Esteemed Legend

Wow. Crazy.

0 Karma

woodcock
Esteemed Legend

It should not be a problem (but I'd fix it anyway).

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi morethanyell,

two things I can think of:

  1. changes on inputs.conf most likely require a restart
  2. your p.s. solution is probably the solution anyway 😉

cheers, MuS

morethanyell
Builder

We've restarted already, still the same. Anyways, Thanks @MuS

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...