Getting Data In

inputs.conf not respecting wildcard

New Member

So, this is my problem area of a inputs.conf file on a box with a 4.2.2 universal forwarder:

Directory names made up here, but you get the idea.

   [monitor://C:\Program Files (x86)\DirectoryName\...\Logs]
    sourcetype = pah
    index = sandbox
    disabled = false

The problem is that regardless of if I use a ... or an * it refuses to even acknowledge the paths I want. Further, there are no indications of ANY errors in the logs.

The two paths I'm trying to monitor with this wildcard are:

C:\Program Files
(x86)\DirectoryName\Name Name Name -
Test\Logs
C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live\Logs

Important to note that if I remove the wildcard and just use:

C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live

It recursively loads all the files just fine. Before you ask, I've cleaned the index and to be certain I've even manually created new files in there for it to pick up, which it doesn't.

Any idea why this isn't working?

Tags (1)
0 Karma

Motivator

I was having this same issue yesterday, and as explained by jrodman when you use the wildcard, it then "changes" how it's looking at that path and is looking for the filename to end at "Logs". Not exactly how he explained it, but close.

Modify your monitor stanza, adding "\*" to the end and it should begin working. You can query the REST api to find out why it is or isn't picking up files at the following url:
https://:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus

You'll need to have changed the default admin password unless you're connecting via localhost. If you look at this url now, it should list the files under your Logs directory, but complain that they don't match the whitelist of: C:\Program Files (x86)\DirectoryName.*\Logs$

Legend

On the forwarder, what do you get when you run

cd \Program Files\splunk\bin
splunk list monitor

The output of the "splunk list" command should give you some hint of what splunk is doing...

0 Karma