Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are wildcards not working when configuring the source path in inputs.conf?

danillopavan
Communicator
‎09-15-2018 08:08 AM

I am facing issues with using wildcards in my input.conf file.

I am monitoring the same directory where 2 different files are being generated, and each one should be indexed in different source types.

Path: C:\Splunkfiles\faturamentoSAP\
File 1: splunk.YYYYMMDDHHMMSS_1.CSV
File 2: splunk.YYYYMMDDHHMMSS_2.CSV

The file 1 should be indexed in sourcetype 1, and file 2 should be indexed in sourcetype 2.

I have configured both sourcepath in "Data inputs » Files & directories" like below, but it is not working:

C:\Splunkfiles\faturamentoSAP\*1.CSV
C:\Splunkfiles\faturamentoSAP\*2.CSV

If I configure as "C:\Splunkfiles\faturamentoSAP" , it is bringing both files to the same source type, but that is not what i want.

How do I configure the source path using wildcards?

Many thanks and regards.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎09-15-2018 10:21 AM

Hi @danillopavan,

If you have splunk server access in that case you can modify inputs.conf directly with below configuration.

[monitor://C:\\Splunkfiles\\faturamentoSAP\\]
whitelist = splunk\.\d{14}\_(?:1|2).csv

and props.conf as below

[source::C:\\Splunkfiles\\faturamentoSAP\\splunk.*1.csv]
sourcetype = sourcetype_1

[source::C:\\Splunkfiles\\faturamentoSAP\\splunk.*2.csv]
sourcetype = sourcetype_2

and then restart splunk service.

Reply

danillopavan
Communicator
‎09-15-2018 10:35 AM

Hello @harsmarvania57, thanks for your reply but in this moment i dont have backend server access.

Thanks and regards

0 Karma
Reply

harsmarvania57
Ultra Champion
‎09-15-2018 11:00 AM

In that case, could you please add 2 "Files & Directories", 1st with C:\\Splunkfiles\\faturamentoSAP\\splunk\.\d{14}\_1.csv and sourcetype sourcetype_1 & 2nd with C:\\Splunkfiles\\faturamentoSAP\\splunk\.\d{14}\_2.csv and sourcetype sourcetype_2

I had never tried using GUI but you can give it a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...