Getting Data In

wild card in monitor path does not work in windows 2008



I have a question exactly like the described in this question, but I can not solve the problem following the answer.

To recap my question, I have a windows 2008 server, in my inputs.conf I put down

[monitor://C:\test\*] and [monitor://C:\test\*.txt] which neither work, but if I specify the file name like this [monitor://C:\test] or [monitor://C:\test\test.txt] then indexer does read in test.txt.

I thought it as the permission issue, so I run the splunk process with administrator right by right click on the file and run it as administrator. I also right click on the folder to change the permission that everyone can read and write on it.

Is there any other I can do to solve this? The wild card works in my linux machine.


Tags (3)


I encountered the exact same behavior. In my case the problem was due to having two colons after the "Monitor" keyword. This caused Splunk to interpret my path as ":\D:\blah\blah*"

These commands are useful to see what files / directories are matching the wildcards:

$SPLUNK_HOME/bin/splunk list monitor

$SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!