Re: monitor stanza in Windows

mcbradford · ‎10-31-2013

I want to monitor the following

C:\Users\...\AppData\Local\Microsoft\Windows\Burn

sometimes with the Burn directory there will be other folders.

I want to monitor all the folders and files under the burn directory

The following does not appear to be working:

[monitor://C:\Users\...\AppData\Local\Microsoft\Windows\burn\]
sourcetype = WindowsBurnLog
disabled = 0
index=windows

rtadams89 · ‎06-02-2014

Try adding "recursive = true" to the stanza. This should be the default, but worth a shot just in case.

Also, what exactly is not working? Do you only get files directly in the "burn" directory indexed? Do you get them from all users folders or just some?

You may also want to try using:
monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn...*

mcbradford · ‎10-31-2013

Nothing really. I even added a "*"

tailingProcessor - Parsing configuration stanza: monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn*

Ayn · ‎10-31-2013

Check splunkd.log to see what Splunk says about this input.

monitor stanza in Windows

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

monitor stanza in Windows

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk