Wildcard magic in monitor stanzas- Need help with ...

vgrote · ‎03-09-2022

Hi,

we have a directory with daily log files I want to read into Splunk 8.1.5:

/dir1/dir2/dir3/dir4/file-20220309.log, file-20220308.log, ...

Version A, working: "[monitor:///dir1/dir2/dir3/dir4]"

Version B, working: "[monitor:///dir1/*/d*/dir4/*]"

Version C, failing: "[monitor:///dir1/*/d*/dir4]"

Version C would in theory match the example of "[monitor:///apache/*/logs]" in the documentation, wouldn't it? That is, as long as "logs" is a directory.

Do I miss something here? Do I see a bug? Is there a limit on the number of wildcards in a path?

Puzzled in Hamburg

Volkmar

SanjayReddy · ‎03-09-2022

Hi @vgrote

for Version C,"[monitor:///dir1/*/d*/dir4]"

can you please share the exact location for [monitor:///apache/*/logs]

and have you tried using (...) intead of *

vgrote · ‎03-09-2022

Hello SanjayReddy,

" [monitor:///apache/*/logs] " is mentioned as an example in https://docs.splunk.com/Documentation/Splunk/8.1.5/Data/Specifyinputpathswithwildcards#Input_example....

"/.../" would recurse into all subdirectories, which could be quite a long journey leading potentially across unknown directory structures, plus I got version B working anyhow which is probably taking less time.

I just wonder if it works as documented.

Kind Regards,

Volkmar

Wildcard magic in monitor stanzas- Need help with inputs.conf

inputs.conf

monitor

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?