Getting Data In

inputs.conf wildcard not working on a windows share

bandit
Motivator

Individual file monitor is working but not with the wildcards. I've tested a similar wildcard on local disk which is working.

# working
[monitor://\\host.share.com\UploadData\support\data\_Customers\M\M123\M123\GRP-123\2013_01_16.23_00_57.191957\191957.disktool.txt]

# not working
[monitor://\\host.share.com\UploadData\support\data\_Customers\*\*\*\*\*\*.disktool.txt]

lukejadamec
Super Champion

Have you tried:

[monitor://\\host.share.com\UploadData\support\data\_Customers\...disktool.txt]

bandit
Motivator

I think it's just that Splunk doesn't multiple similar stanzas for monitor rules that contain wild cards. Not sure if that's a performance setting? It seems and individual rule does work on the shares. This would be quite simple to do with a linux ls script to list out multiple files with a simple pattern. Hope a future update will simplify this type of monitor. I've been reading the doc below and testing out using props.conf with a single monitor rule. Hoping not to have also use transforms. http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/

0 Karma

lukejadamec
Super Champion

After further experimentation I have found that this works just fine on local drives, with or without the last \ or *. Must be a problem with shares.

0 Karma

lukejadamec
Super Champion

I've been reading
http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards
And after a few aspirin, I've decided that the slash after the ellipse is escaping the asterisk thereby making it literal for the first one because the slash is a regex character. Unfortunately, why the last one works does not make sense, and the doc does not explain that much aspirin.

Regardless, I think that the ellipse wildcard should handle all of your wildcard needs, so I've updated the answer to remove the last \ and *.

0 Karma

bandit
Motivator

Thanks, this works for one monitor stanza but introduces another issue since I have multiple monitor stanzas. Only one works at a time but if both are enabled, only the last one works. Both stanzas below are similar but one has disktool.txt and one has diskview.txt.
[monitor://\host.share.com\UploadData\support\data_Customers...*.disktool.txt]
crcSalt =
index = eql_disktool
sourcetype = disktool

[monitor://\host.share.com\UploadData\support\data_Customers...*.diskview.txt]
crcSalt =
index = eql_diskview
sourcetype = diskview

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...