Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

monitor stanza in Windows

mcbradford
Contributor
‎10-31-2013 02:04 PM

I want to monitor the following

C:\Users\...\AppData\Local\Microsoft\Windows\Burn

sometimes with the Burn directory there will be other folders.

I want to monitor all the folders and files under the burn directory

The following does not appear to be working:

[monitor://C:\Users\...\AppData\Local\Microsoft\Windows\burn\]
sourcetype = WindowsBurnLog
disabled = 0
index=windows
Tags (1)
0 Karma
Reply

rtadams89
Contributor
‎06-02-2014 10:39 AM

Try adding "recursive = true" to the stanza. This should be the default, but worth a shot just in case.

Also, what exactly is not working? Do you only get files directly in the "burn" directory indexed? Do you get them from all users folders or just some?

You may also want to try using:
monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn...*

0 Karma
Reply

mcbradford
Contributor
‎10-31-2013 02:15 PM

Nothing really. I even added a "*"

tailingProcessor - Parsing configuration stanza: monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn*

0 Karma
Reply

Ayn
Legend
‎10-31-2013 02:11 PM

Check splunkd.log to see what Splunk says about this input.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...