Re: monitor stanza in Windows

mcbradford · ‎10-31-2013

I want to monitor the following

C:\Users\...\AppData\Local\Microsoft\Windows\Burn

sometimes with the Burn directory there will be other folders.

I want to monitor all the folders and files under the burn directory

The following does not appear to be working:

[monitor://C:\Users\...\AppData\Local\Microsoft\Windows\burn\]
sourcetype = WindowsBurnLog
disabled = 0
index=windows

rtadams89 · ‎06-02-2014

Try adding "recursive = true" to the stanza. This should be the default, but worth a shot just in case.

Also, what exactly is not working? Do you only get files directly in the "burn" directory indexed? Do you get them from all users folders or just some?

You may also want to try using:
monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn...*

mcbradford · ‎10-31-2013

Nothing really. I even added a "*"

tailingProcessor - Parsing configuration stanza: monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn*

Ayn · ‎10-31-2013

Check splunkd.log to see what Splunk says about this input.

monitor stanza in Windows

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?

monitor stanza in Windows

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025