setting up wildcard data inputs on windows forward...

marguin · ‎06-08-2012

I am configuring a windows server with splunk, which i will be changing to a forwarder once i get it finding the data correctly. based on the documentation for using wild cards i came up with this:

i need to collect logs files from : C:\MT4+EA-Farm\assigned\*\experts\logs and i want any file in that directory...so:

(from C:\Program Files\Splunk\etc\system\local\inputs.conf)

[monitor://C:\MT4+EA-Farm\assigned\...\experts\logs\*.*]
disabled = false
followTail = 0
host = ea2-20
sourcetype = eafarm

restart splunkd and i see these errors in the splunkd.log file.

06-08-2012 19:34:52.746 +0000 ERROR TailingProcessor - matching C:\MT4+EA-Farm\assigned\u43096_c13058\ against ^C:\\MT4+EA-Farm\\assigned\\.*\\experts\\logs\\[^\\]*\.[^\\]*$

what am i doing wrong here?

jnhth · ‎06-12-2012

I got this answer from support:

"Can I confirm that you running Splunk 4.3.1 or 4.3.2?
If so I believe that you have run into a known bug SPL-49599 (Files not indexed because they don't match the whitelist of a higher-level overlapping stanza)
This issue is being worked on by the developemnt team and should be addressed in Splunk 4.3.3 which is due for release in the coming weeks."

Hope this helps you 🙂

setting up wildcard data inputs on windows forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation