Getting Data In

inputs.conf wildcard Windows log

balcv
Contributor

I have log files coming in from a Windows Server and file I can receive the required files when I specify the specific filename however I need to use a wildcard and it does not seem to be working.

The log file I need to receive is named d:[path]\localhost_access_log.2019-11-08.txt but I would like to replace the date section with a wild card such as d:[path]\localhost_access_log.*.txt however the log stops when I use the wild card.

My inputs.conf looks like:

[monitor://D:\[path]\logs\]
whitelist=localhost_access_log*txt
disabled = 0

I've tried numerous variations such as * ... etc as I've seen referenced in various post, however none have worked.
When I include the exact file name in the the monitor section, the log works fine, however I need the date to be wildcarded.

Any suggestions greatly appreciated.

0 Karma
1 Solution

ivanreis
Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

View solution in original post

ivanreis
Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

woodcock
Esteemed Legend

Like this:

[monitor://D:\[path]\logs\localhost_access_log.*.txt]
disabled = 0

The reason that you think that it is not working is because you are probably testing it wrong. By default, Splunk will NOT resend a file just because you change the name; you have to change the content, too. Put this setting in place, then restart Splunk there, then manually create a new file that should be forwarded and fill it with anything but what is already there. It will work.

p_gurav
Champion

Can you try:

 [monitor://D:\[path]\logs\localhost_access_log*.txt]
 disabled = 0

Also, please find here more examples of wildcards.

0 Karma

balcv
Contributor

Thanks p_gurav . This has not changed the result. I still get no data being returned.

0 Karma

ivanreis
Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

if it did not work, you have to troubleshoot the input.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Troubleshoottheinputprocess

0 Karma

balcv
Contributor

Looks like this worked. Thanks very much.

0 Karma

ivanreis
Builder

if my solution worked, please accept the answer.

balcv
Contributor

Your solution was no provided in the "Answer" section, only as a comment so I am unable to accept the answer. IF you copy it in the "Post your answer". I can then accept it is correct.

0 Karma

ivanreis
Builder

I convert it to answer. thanks

0 Karma

ivanreis
Builder

try this one:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d{4}-\d{2}-\d{2}.txt
disabled = 0

0 Karma

balcv
Contributor

No, it appears not to be working either ivanreis.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...