Getting Data In

inputs.conf wildcard Windows log

Communicator

I have log files coming in from a Windows Server and file I can receive the required files when I specify the specific filename however I need to use a wildcard and it does not seem to be working.

The log file I need to receive is named d:[path]\localhost_access_log.2019-11-08.txt but I would like to replace the date section with a wild card such as d:[path]\localhost_access_log.*.txt however the log stops when I use the wild card.

My inputs.conf looks like:

[monitor://D:\[path]\logs\]
whitelist=localhost_access_log*txt
disabled = 0

I've tried numerous variations such as * ... etc as I've seen referenced in various post, however none have worked.
When I include the exact file name in the the monitor section, the log works fine, however I need the date to be wildcarded.

Any suggestions greatly appreciated.

0 Karma
1 Solution

Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

View solution in original post

Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

View solution in original post

Esteemed Legend

Like this:

[monitor://D:\[path]\logs\localhost_access_log.*.txt]
disabled = 0

The reason that you think that it is not working is because you are probably testing it wrong. By default, Splunk will NOT resend a file just because you change the name; you have to change the content, too. Put this setting in place, then restart Splunk there, then manually create a new file that should be forwarded and fill it with anything but what is already there. It will work.

Champion

Can you try:

 [monitor://D:\[path]\logs\localhost_access_log*.txt]
 disabled = 0

Also, please find here more examples of wildcards.

0 Karma

Communicator

Thanks p_gurav . This has not changed the result. I still get no data being returned.

0 Karma

Builder

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

if it did not work, you have to troubleshoot the input.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Troubleshoottheinputprocess

0 Karma

Communicator

Looks like this worked. Thanks very much.

0 Karma

Builder

if my solution worked, please accept the answer.

Communicator

Your solution was no provided in the "Answer" section, only as a comment so I am unable to accept the answer. IF you copy it in the "Post your answer". I can then accept it is correct.

0 Karma

Builder

I convert it to answer. thanks

0 Karma

Builder

try this one:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d{4}-\d{2}-\d{2}.txt
disabled = 0

0 Karma

Communicator

No, it appears not to be working either ivanreis.

0 Karma