Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

inputs.conf batch wildcard not working

dbray_sd
Path Finder
‎05-14-2021 08:22 AM

Here is the inputs.conf entry:

 

[batch://opt/splunk/var/run/splunk/csv/*.csv]
disabled = false
move_policy = sinkhole
index = test-metrics
sourcetype = metrics_csv

 

 

However, as I monitor /opt/splunk/var/run/splunk/csv/ I see the CSV files are still there, and not getting indexed. This should have been a really simple test, but can't figure out why batch is not working.

If I hardcode a specific CSV file it works:

 

[batch://opt/splunk/var/run/splunk/csv/test.csv]
disabled = false
move_policy = sinkhole
index = test-metrics
sourcetype = metrics_csv

 

 

But obviously I need it to get all the CSV files, so I should be able to use the wildcard *.csv

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dbray_sd
Path Finder
‎05-21-2021 04:16 AM

Wow, what a simple typo that was really hard to see until I took the time and ran:

sudo -u splunk /opt/splunk/bin/splunk list inputstatus

/opt/splunk/var/run/splunk/csv/test.csv
parent = opt/splunk/var/run/splunk/csv/*.csv
type = File did not match whitelist '^opt\/splunk\/var\/run\/splunk\/csv/[^/]*\.csv$'.

That little ^opt at the beginning showed me that I was missing an extra "/" in:

[batch://opt/splunk/var/run/splunk/csv/*.csv]

It should be:

[batch:///opt/splunk/var/run/splunk/csv/*.csv]

 

So, all good to go.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dbray_sd
Path Finder
‎05-21-2021 04:16 AM

Wow, what a simple typo that was really hard to see until I took the time and ran:

sudo -u splunk /opt/splunk/bin/splunk list inputstatus

/opt/splunk/var/run/splunk/csv/test.csv
parent = opt/splunk/var/run/splunk/csv/*.csv
type = File did not match whitelist '^opt\/splunk\/var\/run\/splunk\/csv/[^/]*\.csv$'.

That little ^opt at the beginning showed me that I was missing an extra "/" in:

[batch://opt/splunk/var/run/splunk/csv/*.csv]

It should be:

[batch:///opt/splunk/var/run/splunk/csv/*.csv]

 

So, all good to go.

 

0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎05-14-2021 08:53 AM

Hi @dbray_sd 

try this

[monitor///opt/splunk/var/run/splunk/csv/*.csv]

if doesn't work and on your path are present only csv you can try this

[monitor///opt/splunk/var/run/splunk/csv/]
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

dbray_sd
Path Finder
‎05-14-2021 09:16 AM

I need it to be batch, not monitor.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...