Getting Data In

wild card in monitor path does not work in windows 2008

kavalan
Engager

Hi,

I have a question exactly like the described in this question, but I can not solve the problem following the answer.

http://splunk-base.splunk.com/answers/13613/use-of-wild-card-character-in-monitor-path

To recap my question, I have a windows 2008 server, in my inputs.conf I put down

[monitor://C:\test\*] and [monitor://C:\test\*.txt] which neither work, but if I specify the file name like this [monitor://C:\test] or [monitor://C:\test\test.txt] then indexer does read in test.txt.

I thought it as the permission issue, so I run the splunk process with administrator right by right click on the file and run it as administrator. I also right click on the folder to change the permission that everyone can read and write on it.

Is there any other I can do to solve this? The wild card works in my linux machine.

Thanks.

Tags (3)

charles_colvin
Explorer

I encountered the exact same behavior. In my case the problem was due to having two colons after the "Monitor" keyword. This caused Splunk to interpret my path as ":\D:\blah\blah*"

These commands are useful to see what files / directories are matching the wildcards:

$SPLUNK_HOME/bin/splunk list monitor

$SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...