monitor stanza in Windows

mcbradford · ‎10-31-2013

I want to monitor the following

C:\Users\...\AppData\Local\Microsoft\Windows\Burn

sometimes with the Burn directory there will be other folders.

I want to monitor all the folders and files under the burn directory

The following does not appear to be working:

[monitor://C:\Users\...\AppData\Local\Microsoft\Windows\burn\]
sourcetype = WindowsBurnLog
disabled = 0
index=windows

rtadams89 · ‎06-02-2014

Try adding "recursive = true" to the stanza. This should be the default, but worth a shot just in case.

Also, what exactly is not working? Do you only get files directly in the "burn" directory indexed? Do you get them from all users folders or just some?

You may also want to try using:
monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn...*

mcbradford · ‎10-31-2013

Nothing really. I even added a "*"

tailingProcessor - Parsing configuration stanza: monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn*

Ayn · ‎10-31-2013

Check splunkd.log to see what Splunk says about this input.

monitor stanza in Windows

Congratulations to the 2025-2026 SplunkTrust!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

Your Guide to Splunk Digital Experience Monitoring

Join the Conversation

monitor stanza in Windows

Congratulations to the 2025-2026 SplunkTrust!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

Your Guide to Splunk Digital Experience Monitoring