how can I put a "+" in monitor:// path ?

ktn01 · ‎08-03-2017

Hello,

I have the following stanza in input.conf

[monitor:///ccv/app/oracle/diag/asm/+asm/+ASM*/trace/alert_+ASM*.log]
index = cei_oracle
sourcetype = oracle:asm:log
_TCP_ROUTING = val_idx-group

and file /ccv/app/oracle/diag/asm/+asm/+ASM1/trace/alert_+ASM1.log would not been indexed.

I modifie de path replacing every "+" with a "" `[monitor:///ccv/app/oracle/diag/asm/*asm/*ASM/trace/alert_ASM.log]
` and then the file is indexed.

How can I put a "+" on my path definition?

Thanks

Christian

somesoni2 · ‎08-03-2017

Try escaping it using backward slash.

[monitor:///ccv/app/oracle/diag/asm/\+asm/\+ASM*/trace/alert_\+ASM*.log]

Anu · ‎11-23-2020

@somesoni2 still didn't work for me.. Do you have any workaround for getting asm alert log in to splunk??

ktn01 · ‎08-03-2017

Thanks,

escaping with \ is working fine...

Christian

somesoni2 · ‎08-03-2017

Glad it worked for you. Please close the question by accepting the answer that worked.

alemarzu · ‎08-03-2017

Hi there, try this out.

[monitor:///ccv/app/oracle/diag/asm/.../trace/alert_*ASM*.log]

ktn01 · ‎08-03-2017

Thanks but /.../ is to generic in this case

Christian