Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

inputs.conf not respecting wildcard

rampsplunk
New Member
‎08-18-2011 01:41 PM

So, this is my problem area of a inputs.conf file on a box with a 4.2.2 universal forwarder:

Directory names made up here, but you get the idea.

   [monitor://C:\Program Files (x86)\DirectoryName\...\Logs]
    sourcetype = pah
    index = sandbox
    disabled = false

The problem is that regardless of if I use a ... or an * it refuses to even acknowledge the paths I want. Further, there are no indications of ANY errors in the logs.

The two paths I'm trying to monitor with this wildcard are:

C:\Program Files
(x86)\DirectoryName\Name Name Name -
Test\Logs
C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live\Logs

Important to note that if I remove the wildcard and just use:

C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live

It recursively loads all the files just fine. Before you ask, I've cleaned the index and to be certain I've even manually created new files in there for it to pick up, which it doesn't.

Any idea why this isn't working?

Tags (1)
0 Karma
Reply

mikelanghorst
Motivator
‎08-24-2011 04:24 PM

I was having this same issue yesterday, and as explained by jrodman when you use the wildcard, it then "changes" how it's looking at that path and is looking for the filename to end at "Logs". Not exactly how he explained it, but close.

Modify your monitor stanza, adding "\*" to the end and it should begin working. You can query the REST api to find out why it is or isn't picking up files at the following url:
https://:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus

You'll need to have changed the default admin password unless you're connecting via localhost. If you look at this url now, it should list the files under your Logs directory, but complain that they don't match the whitelist of: C:\Program Files (x86)\DirectoryName.*\Logs$

Reply

lguinn2
Legend
‎08-21-2011 09:16 AM

On the forwarder, what do you get when you run

cd \Program Files\splunk\bin
splunk list monitor

The output of the "splunk list" command should give you some hint of what splunk is doing...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...