Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

inputs.conf not respecting wildcard

rampsplunk
New Member
‎08-18-2011 01:41 PM

So, this is my problem area of a inputs.conf file on a box with a 4.2.2 universal forwarder:

Directory names made up here, but you get the idea.

   [monitor://C:\Program Files (x86)\DirectoryName\...\Logs]
    sourcetype = pah
    index = sandbox
    disabled = false

The problem is that regardless of if I use a ... or an * it refuses to even acknowledge the paths I want. Further, there are no indications of ANY errors in the logs.

The two paths I'm trying to monitor with this wildcard are:

C:\Program Files
(x86)\DirectoryName\Name Name Name -
Test\Logs
C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live\Logs

Important to note that if I remove the wildcard and just use:

C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live

It recursively loads all the files just fine. Before you ask, I've cleaned the index and to be certain I've even manually created new files in there for it to pick up, which it doesn't.

Any idea why this isn't working?

Tags (1)
0 Karma
Reply

mikelanghorst
Motivator
‎08-24-2011 04:24 PM

I was having this same issue yesterday, and as explained by jrodman when you use the wildcard, it then "changes" how it's looking at that path and is looking for the filename to end at "Logs". Not exactly how he explained it, but close.

Modify your monitor stanza, adding "\*" to the end and it should begin working. You can query the REST api to find out why it is or isn't picking up files at the following url:
https://:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus

You'll need to have changed the default admin password unless you're connecting via localhost. If you look at this url now, it should list the files under your Logs directory, but complain that they don't match the whitelist of: C:\Program Files (x86)\DirectoryName.*\Logs$

Reply

lguinn2
Legend
‎08-21-2011 09:16 AM

On the forwarder, what do you get when you run

cd \Program Files\splunk\bin
splunk list monitor

The output of the "splunk list" command should give you some hint of what splunk is doing...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...