Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why my Windows logs don't reach Splunk?

ddrillic
Ultra Champion
‎02-10-2017 08:44 AM

We see the following - 

02-09-2017 21:12:49.973 -0600 INFO  TailingProcessor - Parsing configuration stanza: monitor://E:\logs\sessiondelete\*_DELETESCRIPT.log.

And -

02-09-2017 21:12:49.973 -0600 INFO  TailingProcessor - Adding watch on path: E:\logs\sessiondelete.

But they don't reach the indexers. Any ideas?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎02-10-2017 12:02 PM

From - http://docs.splunk.com/Documentation/Splunk/6.0/Data/Specifyinputpathswithwildcards

Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:

[monitor://E:...\foo\*.log]
Splunk Enterprise logs an error and fails to index the desired files.

This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues.

This might have been fixed in later versions, I'm not sure.

View solution in original post

Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎02-10-2017 12:02 PM

From - http://docs.splunk.com/Documentation/Splunk/6.0/Data/Specifyinputpathswithwildcards

Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:

[monitor://E:...\foo\*.log]
Splunk Enterprise logs an error and fails to index the desired files.

This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues.

This might have been fixed in later versions, I'm not sure.

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-10-2017 04:30 PM

Gorgeous - it worked now. Please convert the comment to an answer so I can accept it...

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎02-10-2017 04:47 PM

Glad it helped..

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-10-2017 04:57 PM

Very much appreciated!!!

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎02-10-2017 11:21 AM

Windows doesn't play well with wild cards on the monitor path. Try using whiteliest and blacklist instead to wild card your file names.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-10-2017 11:24 AM

Seriously? do you have any docs about it, by any chance?

I see the following at Specify input paths with wildcards

alt text

Preview file
35 KB
0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎02-10-2017 08:47 AM

follow the steps from the below url, http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata .

V
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-10-2017 08:57 AM

Great link - the only thing that I don't know is whether the forwarder can access this Windows folder ...

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎02-10-2017 09:50 AM

Sysinternals tool Process Explorer can easily find out if your UF has that file open.

Open Process Explorer, click the binoculars, search for E:\whatever in there. If the UF has the file open, it'll be listed.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-10-2017 11:44 AM

Check for error like access denied on the splunkd.log on the forwarder (for that file).

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-10-2017 11:49 AM

The only references to DELETESCRIPT in splunkd.log are the two at the beginning of this thread...

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-10-2017 11:55 AM

The forwarder should be sending _internal data to Indexers, do you at least see that (to confirm that outputs.conf is configured correctly, check index=_internal host=yourForwarder ). Also, restart your forwarder and check the splunkd.log for errors and warning, you may catch something relevant.

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...