setting up wildcard data inputs on windows forward...

marguin · ‎06-08-2012

I am configuring a windows server with splunk, which i will be changing to a forwarder once i get it finding the data correctly. based on the documentation for using wild cards i came up with this:

i need to collect logs files from : C:\MT4+EA-Farm\assigned\*\experts\logs and i want any file in that directory...so:

(from C:\Program Files\Splunk\etc\system\local\inputs.conf)

[monitor://C:\MT4+EA-Farm\assigned\...\experts\logs\*.*]
disabled = false
followTail = 0
host = ea2-20
sourcetype = eafarm

restart splunkd and i see these errors in the splunkd.log file.

06-08-2012 19:34:52.746 +0000 ERROR TailingProcessor - matching C:\MT4+EA-Farm\assigned\u43096_c13058\ against ^C:\\MT4+EA-Farm\\assigned\\.*\\experts\\logs\\[^\\]*\.[^\\]*$

what am i doing wrong here?

jnhth · ‎06-12-2012

I got this answer from support:

"Can I confirm that you running Splunk 4.3.1 or 4.3.2?
If so I believe that you have run into a known bug SPL-49599 (Files not indexed because they don't match the whitelist of a higher-level overlapping stanza)
This issue is being worked on by the developemnt team and should be addressed in Splunk 4.3.3 which is due for release in the coming weeks."

Hope this helps you 🙂

setting up wildcard data inputs on windows forwarder

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

setting up wildcard data inputs on windows forwarder

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases