Getting Data In

Why my Windows logs don't reach Splunk?

ddrillic
Ultra Champion

We see the following -

02-09-2017 21:12:49.973 -0600 INFO  TailingProcessor - Parsing configuration stanza: monitor://E:\logs\sessiondelete\*_DELETESCRIPT.log.

And -

02-09-2017 21:12:49.973 -0600 INFO  TailingProcessor - Adding watch on path: E:\logs\sessiondelete.

But they don't reach the indexers. Any ideas?

Tags (1)
0 Karma
1 Solution

pradeepkumarg
Influencer

From - http://docs.splunk.com/Documentation/Splunk/6.0/Data/Specifyinputpathswithwildcards

Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:

[monitor://E:...\foo\*.log]
Splunk Enterprise logs an error and fails to index the desired files.

This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues.

This might have been fixed in later versions, I'm not sure.

View solution in original post

pradeepkumarg
Influencer

From - http://docs.splunk.com/Documentation/Splunk/6.0/Data/Specifyinputpathswithwildcards

Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:

[monitor://E:...\foo\*.log]
Splunk Enterprise logs an error and fails to index the desired files.

This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues.

This might have been fixed in later versions, I'm not sure.

ddrillic
Ultra Champion

Gorgeous - it worked now. Please convert the comment to an answer so I can accept it...

0 Karma

pradeepkumarg
Influencer

Glad it helped..

0 Karma

ddrillic
Ultra Champion

Very much appreciated!!!

0 Karma

pradeepkumarg
Influencer

Windows doesn't play well with wild cards on the monitor path. Try using whiteliest and blacklist instead to wild card your file names.

0 Karma

ddrillic
Ultra Champion

Seriously? do you have any docs about it, by any chance?

I see the following at Specify input paths with wildcards

alt text

0 Karma

vasanthmss
Motivator
0 Karma

ddrillic
Ultra Champion

Great link - the only thing that I don't know is whether the forwarder can access this Windows folder ...

0 Karma

Richfez
SplunkTrust
SplunkTrust

Sysinternals tool Process Explorer can easily find out if your UF has that file open.

Open Process Explorer, click the binoculars, search for E:\whatever in there. If the UF has the file open, it'll be listed.

0 Karma

somesoni2
Revered Legend

Check for error like access denied on the splunkd.log on the forwarder (for that file).

0 Karma

ddrillic
Ultra Champion

The only references to DELETESCRIPT in splunkd.log are the two at the beginning of this thread...

0 Karma

somesoni2
Revered Legend

The forwarder should be sending _internal data to Indexers, do you at least see that (to confirm that outputs.conf is configured correctly, check index=_internal host=yourForwarder ). Also, restart your forwarder and check the splunkd.log for errors and warning, you may catch something relevant.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...