Getting Data In

inputs.conf not respecting wildcard

rampsplunk
New Member

So, this is my problem area of a inputs.conf file on a box with a 4.2.2 universal forwarder:

Directory names made up here, but you get the idea.

   [monitor://C:\Program Files (x86)\DirectoryName\...\Logs]
    sourcetype = pah
    index = sandbox
    disabled = false

The problem is that regardless of if I use a ... or an * it refuses to even acknowledge the paths I want. Further, there are no indications of ANY errors in the logs.

The two paths I'm trying to monitor with this wildcard are:

C:\Program Files
(x86)\DirectoryName\Name Name Name -
Test\Logs
C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live\Logs

Important to note that if I remove the wildcard and just use:

C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live

It recursively loads all the files just fine. Before you ask, I've cleaned the index and to be certain I've even manually created new files in there for it to pick up, which it doesn't.

Any idea why this isn't working?

Tags (1)
0 Karma

mikelanghorst
Motivator

I was having this same issue yesterday, and as explained by jrodman when you use the wildcard, it then "changes" how it's looking at that path and is looking for the filename to end at "Logs". Not exactly how he explained it, but close.

Modify your monitor stanza, adding "\*" to the end and it should begin working. You can query the REST api to find out why it is or isn't picking up files at the following url:
https://:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus

You'll need to have changed the default admin password unless you're connecting via localhost. If you look at this url now, it should list the files under your Logs directory, but complain that they don't match the whitelist of: C:\Program Files (x86)\DirectoryName.*\Logs$

lguinn2
Legend

On the forwarder, what do you get when you run

cd \Program Files\splunk\bin
splunk list monitor

The output of the "splunk list" command should give you some hint of what splunk is doing...

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...