Getting Data In

inputs.conf wildcard Windows log

Communicator

I have log files coming in from a Windows Server and file I can receive the required files when I specify the specific filename however I need to use a wildcard and it does not seem to be working.

The log file I need to receive is named d:[path]\localhost_access_log.2019-11-08.txt but I would like to replace the date section with a wild card such as d:[path]\localhost_access_log.*.txt however the log stops when I use the wild card.

My inputs.conf looks like:

[monitor://D:\[path]\logs\]
whitelist=localhost_access_log*txt
disabled = 0

I've tried numerous variations such as * ... etc as I've seen referenced in various post, however none have worked.
When I include the exact file name in the the monitor section, the log works fine, however I need the date to be wildcarded.

Any suggestions greatly appreciated.

0 Karma
1 Solution

Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

View solution in original post

Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

View solution in original post

Esteemed Legend

Like this:

[monitor://D:\[path]\logs\localhost_access_log.*.txt]
disabled = 0

The reason that you think that it is not working is because you are probably testing it wrong. By default, Splunk will NOT resend a file just because you change the name; you have to change the content, too. Put this setting in place, then restart Splunk there, then manually create a new file that should be forwarded and fill it with anything but what is already there. It will work.

Champion

Can you try:

 [monitor://D:\[path]\logs\localhost_access_log*.txt]
 disabled = 0

Also, please find here more examples of wildcards.

0 Karma

Communicator

Thanks p_gurav . This has not changed the result. I still get no data being returned.

0 Karma

Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

if it did not work, you have to troubleshoot the input.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Troubleshoottheinputprocess

0 Karma

Communicator

Looks like this worked. Thanks very much.

0 Karma

Builder

if my solution worked, please accept the answer.

Communicator

Your solution was no provided in the "Answer" section, only as a comment so I am unable to accept the answer. IF you copy it in the "Post your answer". I can then accept it is correct.

0 Karma

Builder

I convert it to answer. thanks

0 Karma

Builder

try this one:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d{4}-\d{2}-\d{2}.txt
disabled = 0

0 Karma

Communicator

No, it appears not to be working either ivanreis.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!