Hello,
I need to monitor log files that are in the following directory('s'):
"c:\users\%username%\appdata\local\app\$randomnumber$\app.log"
%username% is whoever is currently logged on (but I suppose I'd be ok with "*", any user folder) and $randomnumber$ is a unique ID that's going to always be different for every desktop, possibly change over time, and possibly be more than one folder for a given user.
How would I make the file monitor stanza in inputs.conf do that?
Thanks!
Use wildcards for the unknown parts.
[monitor://c:\users\*\appdata\local\app\*\app.log]
Use wildcards for the unknown parts.
[monitor://c:\users\*\appdata\local\app\*\app.log]
This ended up working - not sure what was wrong before, I think the timestamps were off. But it's all there, thanks!
Thanks!
I just tried it - it doesn't SEEM to be working, I'm not getting any data in splunk even though I know the files are being updated. Looking at the index (just searching index=someapp) returns no data (index does exist).
This is what I have:
[monitor://c:\users\*\appdata\local\someapp\apps\*\app.log]
index = someapp
sourcetype=someapp
disabled=0
Verify splunk has read access to the file. Check splunkd.log for messages about reading the file.
it SHOULD have access - I don't see any errors or anything. The only thing that comes up is
"Parsing configuration stanza: monitor://c:\users\*\appdata\local\apps\*\app.log."
but no errors...