Getting Data In

trying to tail directories on windows machines for log files, problem is there are many subfolders and different file types. .log and .csv.

QuintonS
Path Finder

my input.conf below, need to have a recursive path for subfolders and all files. But the below is not working, am I missing something?

[monitor://M:\MGSLog\...\*]
sourcetype = mgslog
index = mgslog
disabled = false
ignoreOlderThan = 1d
Tags (1)
1 Solution

woodcock
Esteemed Legend

I have never used * for the file but I don't see why it wouldn't work. If you do not need recursion, you can do this instead:

 [monitor://M:\MGSLog\*\*]

View solution in original post

0 Karma

woodcock
Esteemed Legend

I have never used * for the file but I don't see why it wouldn't work. If you do not need recursion, you can do this instead:

 [monitor://M:\MGSLog\*\*]
0 Karma

markusspitzli
Communicator

Hey.

The config looks fine to me, even though I would change the wildcard to the actual logfilename(s) like mylogfile*.log or so.
You can never be sure that someone uses your directory as temporary storage. those files would be ingested too. You dont want that.

Do you have any logs from the universalfowarder. Maybe the monitored files are to small so that you have to use saltcrc. or maybe you have a permission problem, even though i think that might not be the case on windows machines.

0 Karma

QuintonS
Path Finder

Thanks for replying so quickly, definitely not a premission issue. Tried testing with adding the sub directories directly in the input and it bring the files in. with regards to the wildcard we are planning to add a whitelist for the files in production as this is just a POC. problem is that it brings in the files in the main directory but not the subdirectories?

0 Karma

markusspitzli
Communicator

Thats strange. maybe its an issue with the universalforwarder.

If you only have one subdirectory you could you * instead of ...

No issue with working with whitelists as long as the sourcetype is the same. Otherwise different monitoring stanzas would be great.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...