Re: monitor stanza in Windows

mcbradford · ‎10-31-2013

I want to monitor the following

C:\Users\...\AppData\Local\Microsoft\Windows\Burn

sometimes with the Burn directory there will be other folders.

I want to monitor all the folders and files under the burn directory

The following does not appear to be working:

[monitor://C:\Users\...\AppData\Local\Microsoft\Windows\burn\]
sourcetype = WindowsBurnLog
disabled = 0
index=windows

rtadams89 · ‎06-02-2014

Try adding "recursive = true" to the stanza. This should be the default, but worth a shot just in case.

Also, what exactly is not working? Do you only get files directly in the "burn" directory indexed? Do you get them from all users folders or just some?

You may also want to try using:
monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn...*

mcbradford · ‎10-31-2013

Nothing really. I even added a "*"

tailingProcessor - Parsing configuration stanza: monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn*

Ayn · ‎10-31-2013

Check splunkd.log to see what Splunk says about this input.

monitor stanza in Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation