Solved: Re: inputs.conf wildcard Windows log

balcv · ‎11-07-2019

I have log files coming in from a Windows Server and file I can receive the required files when I specify the specific filename however I need to use a wildcard and it does not seem to be working.

The log file I need to receive is named d:[path]\localhost_access_log.2019-11-08.txt but I would like to replace the date section with a wild card such as d:[path]\localhost_access_log.*.txt however the log stops when I use the wild card.

My inputs.conf looks like:

[monitor://D:\[path]\logs\]
whitelist=localhost_access_log*txt
disabled = 0

I've tried numerous variations such as * ... etc as I've seen referenced in various post, however none have worked.
When I include the exact file name in the the monitor section, the log works fine, however I need the date to be wildcarded.

Any suggestions greatly appreciated.

ivanreis · ‎11-10-2019

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

View solution in original post

ivanreis · ‎11-10-2019

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

woodcock · ‎11-09-2019

Like this:

[monitor://D:\[path]\logs\localhost_access_log.*.txt]
disabled = 0

The reason that you think that it is not working is because you are probably testing it wrong. By default, Splunk will NOT resend a file just because you change the name; you have to change the content, too. Put this setting in place, then restart Splunk there, then manually create a new file that should be forwarded and fill it with anything but what is already there. It will work.

p_gurav · ‎11-07-2019

Can you try:

 [monitor://D:\[path]\logs\localhost_access_log*.txt]
 disabled = 0

Also, please find here more examples of wildcards.

balcv · ‎11-07-2019

Thanks p_gurav . This has not changed the result. I still get no data being returned.

ivanreis · ‎11-07-2019

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

if it did not work, you have to troubleshoot the input.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Troubleshoottheinputprocess

balcv · ‎11-08-2019

Looks like this worked. Thanks very much.

ivanreis · ‎11-10-2019

if my solution worked, please accept the answer.

balcv · ‎11-10-2019

Your solution was no provided in the "Answer" section, only as a comment so I am unable to accept the answer. IF you copy it in the "Post your answer". I can then accept it is correct.

ivanreis · ‎11-10-2019

I convert it to answer. thanks

ivanreis · ‎11-07-2019

try this one:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d{4}-\d{2}-\d{2}.txt
disabled = 0

balcv · ‎11-07-2019

No, it appears not to be working either ivanreis.

inputs.conf wildcard Windows log

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...