Solved: inputs.conf and Windows path

tlmayes · ‎11-17-2017

I know this should be simple, but for whatever reason, it's not working

Have a production Windows 2012 server where we are collecting application logs from a log file. The path is
C:\Program Files\somepath..... so created an inputs.conf as follows

[monitor://C:\Program Files\somepath\]
index=someindex
sourcetype=somesourcetype
whitelist=\logfile.*$

Restarted the Windows UF service, no errors, but no events either (yes, confirmed there are events). So suspected permissions, and instead used:

    [monitor://C:\Test Folder\somepath\]
    index=someindex
    sourcetype=somesourcetype
    whitelist=\logfile.*$

Again, nothing, so used:

    [monitor://C:\TestFolder\somepath\]
    index=someindex
    sourcetype=somesourcetype
    whitelist=\logfile.*$

Without the whitespace, and works as expected. Put the whitespace back in, modified the log file so as to force collection, and again nothing. Was able to reproduce all on a 2012 test server. There is no provision I am aware of in inputs.conf to account for whitespace since it is supposed to be automatically recognized. What am I missing?

gcusello · ‎11-17-2017

Hi tlmayes,
did you already tried?

[monitor://C:\Program Files\somepath\logfile.*]
index=someindex
sourcetype=somesourcetype

Bye.
Giuseppe

View solution in original post

tlmayes · ‎11-17-2017

Sometimes it is the simple things... Removing the recursive line fixed it

gcusello · ‎11-17-2017

Hi tlmayes,
did you already tried?

[monitor://C:\Program Files\somepath\logfile.*]
index=someindex
sourcetype=somesourcetype

Bye.
Giuseppe

inputs.conf and Windows path

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...