Getting Data In

inputs.conf + wildcard not picking up anything

virtualpony
Path Finder

I am trying to monitor a log file where the directory path may change from one machine to another. But these rules are for sure:

The first folder has the word hyperic
The second folder has the word agent in it
the third folder is named logs
the file to be read is named agent.log

Some admins have named the first directory hyperic ... some have named it something else like hyperic 4.6.6

Also the second folder might be named hyperic-hqee-agent-4.6.5 or hyperic-hqee-agent-4.6.6 ... but we know that it has agent in it, so we want to proceed down to the next level.

A full path might look like this:

C:\Hyperic\hyperic-hqee-agent-4.6.6\log\agent.log

My inputs.conf has this stanza in it:

[monitor://C:\*Hyperic*\*agent*\log\agent.log]
disabled = false
sourcetype = hyperic_agent

the apps have deployed to all the corresponding machines, but nothing is being received. This is what I see in the splunkd logs:

11-26-2012 14:57:54.686 -0800 INFO  TailingProcessor - Parsing configuration stanza: monitor://C:\*Hyperic*\*agent*\log\agent.log.
Tags (1)
0 Karma

lguinn2
Legend

Try this:

[monitor://C:\\*Hyperic*\\*agent*\\log\\agent.log]

I think Splunk is seeing the single backslashes as escaping the following character.

0 Karma

virtualpony
Path Finder

I have tried that also, still nothing. I get a TailingProcessor error event when I use double slashes \\. That error isn't present with single slashes.

0 Karma

sowings
Splunk Employee
Splunk Employee

Try without the leading star after C:\.

[monitor://C:\\Hyperic*\\*agent*\\log\\agent.log

0 Karma

virtualpony
Path Finder

I tried that but it doesn't work either. Thanks.

0 Karma

virtualpony
Path Finder

There are quite a bit of files monitored, but I think what you wanted to see was if the file in question is being monitored. It is listed as following:
C:\*Hyperic*\*agent*\log\agent.log
C:\*Hyperic*\*agent*\log\wrapper.log

0 Karma

lguinn2
Legend

On any of the machines, what do you see when you run

splunk list monitor

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...