Getting Data In

inputs.conf batch wildcard not working

dbray_sd
Path Finder

Here is the inputs.conf entry:

 

[batch://opt/splunk/var/run/splunk/csv/*.csv]
disabled = false
move_policy = sinkhole
index = test-metrics
sourcetype = metrics_csv

 

 

However, as I monitor /opt/splunk/var/run/splunk/csv/ I see the CSV files are still there, and not getting indexed. This should have been a really simple test, but can't figure out why batch is not working.

If I hardcode a specific CSV file it works:

 

[batch://opt/splunk/var/run/splunk/csv/test.csv]
disabled = false
move_policy = sinkhole
index = test-metrics
sourcetype = metrics_csv

 

 

But obviously I need it to get all the CSV files, so I should be able to use the wildcard *.csv

Labels (1)
0 Karma
1 Solution

dbray_sd
Path Finder

Wow, what a simple typo that was really hard to see until I took the time and ran:

sudo -u splunk /opt/splunk/bin/splunk list inputstatus

/opt/splunk/var/run/splunk/csv/test.csv
parent = opt/splunk/var/run/splunk/csv/*.csv
type = File did not match whitelist '^opt\/splunk\/var\/run\/splunk\/csv/[^/]*\.csv$'. 

That little ^opt at the beginning showed me that I was missing an extra "/" in:

[batch://opt/splunk/var/run/splunk/csv/*.csv]

It should be:

[batch:///opt/splunk/var/run/splunk/csv/*.csv]

 

So, all good to go.

 

View solution in original post

0 Karma

dbray_sd
Path Finder

Wow, what a simple typo that was really hard to see until I took the time and ran:

sudo -u splunk /opt/splunk/bin/splunk list inputstatus

/opt/splunk/var/run/splunk/csv/test.csv
parent = opt/splunk/var/run/splunk/csv/*.csv
type = File did not match whitelist '^opt\/splunk\/var\/run\/splunk\/csv/[^/]*\.csv$'. 

That little ^opt at the beginning showed me that I was missing an extra "/" in:

[batch://opt/splunk/var/run/splunk/csv/*.csv]

It should be:

[batch:///opt/splunk/var/run/splunk/csv/*.csv]

 

So, all good to go.

 

0 Karma

aasabatini
Motivator

Hi @dbray_sd 

try this

[monitor///opt/splunk/var/run/splunk/csv/*.csv]

if doesn't work and on your path are present only csv you can try this

[monitor///opt/splunk/var/run/splunk/csv/]
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

dbray_sd
Path Finder

I need it to be batch, not monitor.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...