Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows universal forwarder localappdata

Niro
Explorer
‎02-07-2024 12:53 PM

Hello,

 

I need to monitor log files that are in the following directory('s'):

 

"c:\users\%username%\appdata\local\app\$randomnumber$\app.log"

%username% is whoever is currently logged on (but I suppose I'd be ok with "*", any user folder) and $randomnumber$ is a unique ID that's going to always be different for every desktop, possibly change over time, and possibly be more than one folder for a given user.

How would I make the file monitor stanza in inputs.conf do that?

 

Thanks!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 01:41 PM

Use wildcards for the unknown parts.

[monitor://c:\users\*\appdata\local\app\*\app.log]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 01:41 PM

Use wildcards for the unknown parts.

[monitor://c:\users\*\appdata\local\app\*\app.log]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Niro
Explorer
‎02-13-2024 10:18 AM

This ended up working - not sure what was wrong before, I think the timestamps were off. But it's all there, thanks!

Reply
Solved! Jump to solution

Niro
Explorer
‎02-07-2024 02:01 PM

Thanks!

I just tried it - it doesn't SEEM to be working, I'm not getting any data in splunk even  though I know the files are being updated. Looking at the index (just searching index=someapp) returns no data (index does exist).

This is what I have:

[monitor://c:\users\*\appdata\local\someapp\apps\*\app.log]
index = someapp
sourcetype=someapp
disabled=0

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 02:33 PM

Verify splunk has read access to the file.  Check splunkd.log for messages about reading the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Niro
Explorer
‎02-07-2024 02:50 PM

it SHOULD have access - I don't see any errors or anything. The only thing that comes up is 

"Parsing configuration stanza: monitor://c:\users\*\appdata\local\apps\*\app.log."

but no errors...

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...