Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- inputs.conf batch wildcard not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the inputs.conf entry:
[batch://opt/splunk/var/run/splunk/csv/*.csv]
disabled = false
move_policy = sinkhole
index = test-metrics
sourcetype = metrics_csv
However, as I monitor /opt/splunk/var/run/splunk/csv/ I see the CSV files are still there, and not getting indexed. This should have been a really simple test, but can't figure out why batch is not working.
If I hardcode a specific CSV file it works:
[batch://opt/splunk/var/run/splunk/csv/test.csv]
disabled = false
move_policy = sinkhole
index = test-metrics
sourcetype = metrics_csv
But obviously I need it to get all the CSV files, so I should be able to use the wildcard *.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, what a simple typo that was really hard to see until I took the time and ran:
sudo -u splunk /opt/splunk/bin/splunk list inputstatus
/opt/splunk/var/run/splunk/csv/test.csv
parent = opt/splunk/var/run/splunk/csv/*.csv
type = File did not match whitelist '^opt\/splunk\/var\/run\/splunk\/csv/[^/]*\.csv$'. That little ^opt at the beginning showed me that I was missing an extra "/" in:
[batch://opt/splunk/var/run/splunk/csv/*.csv]
It should be:
[batch:///opt/splunk/var/run/splunk/csv/*.csv]
So, all good to go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, what a simple typo that was really hard to see until I took the time and ran:
sudo -u splunk /opt/splunk/bin/splunk list inputstatus
/opt/splunk/var/run/splunk/csv/test.csv
parent = opt/splunk/var/run/splunk/csv/*.csv
type = File did not match whitelist '^opt\/splunk\/var\/run\/splunk\/csv/[^/]*\.csv$'. That little ^opt at the beginning showed me that I was missing an extra "/" in:
[batch://opt/splunk/var/run/splunk/csv/*.csv]
It should be:
[batch:///opt/splunk/var/run/splunk/csv/*.csv]
So, all good to go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dbray_sd
try this
[monitor///opt/splunk/var/run/splunk/csv/*.csv]if doesn't work and on your path are present only csv you can try this
[monitor///opt/splunk/var/run/splunk/csv/]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need it to be batch, not monitor.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
