Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

trying to tail directories on windows machines for log files, problem is there are many subfolders and different file types. .log and .csv.

QuintonS
Path Finder
‎02-21-2019 11:03 PM

my input.conf below, need to have a recursive path for subfolders and all files. But the below is not working, am I missing something?

[monitor://M:\MGSLog\...\*]
sourcetype = mgslog
index = mgslog
disabled = false
ignoreOlderThan = 1d
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-05-2019 06:30 PM

I have never used * for the file but I don't see why it wouldn't work. If you do not need recursion, you can do this instead:

 [monitor://M:\MGSLog\*\*]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-05-2019 06:30 PM

I have never used * for the file but I don't see why it wouldn't work. If you do not need recursion, you can do this instead:

 [monitor://M:\MGSLog\*\*]
0 Karma
Reply
Solved! Jump to solution

markusspitzli
Communicator
‎02-21-2019 11:10 PM

Hey.

The config looks fine to me, even though I would change the wildcard to the actual logfilename(s) like mylogfile*.log or so.
You can never be sure that someone uses your directory as temporary storage. those files would be ingested too. You dont want that.

Do you have any logs from the universalfowarder. Maybe the monitored files are to small so that you have to use saltcrc. or maybe you have a permission problem, even though i think that might not be the case on windows machines.

0 Karma
Reply
Solved! Jump to solution

QuintonS
Path Finder
‎02-21-2019 11:19 PM

Thanks for replying so quickly, definitely not a premission issue. Tried testing with adding the sub directories directly in the input and it bring the files in. with regards to the wildcard we are planning to add a whitelist for the files in production as this is just a POC. problem is that it brings in the files in the main directory but not the subdirectories?

0 Karma
Reply
Solved! Jump to solution

markusspitzli
Communicator
‎02-21-2019 11:28 PM

Thats strange. maybe its an issue with the universalforwarder.

If you only have one subdirectory you could you * instead of ...

No issue with working with whitelists as long as the sourcetype is the same. Otherwise different monitoring stanzas would be great.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...