Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

wild card in monitor path does not work in windows 2008

kavalan
Engager
‎06-15-2011 05:45 AM

Hi,

I have a question exactly like the described in this question, but I can not solve the problem following the answer.

http://splunk-base.splunk.com/answers/13613/use-of-wild-card-character-in-monitor-path

To recap my question, I have a windows 2008 server, in my inputs.conf I put down

[monitor://C:\test\*] and [monitor://C:\test\*.txt] which neither work, but if I specify the file name like this [monitor://C:\test] or [monitor://C:\test\test.txt] then indexer does read in test.txt.

I thought it as the permission issue, so I run the splunk process with administrator right by right click on the file and run it as administrator. I also right click on the folder to change the permission that everyone can read and write on it.

Is there any other I can do to solve this? The wild card works in my linux machine.

Thanks.

Tags (3)
Reply

charles_colvin
Explorer
‎06-14-2012 08:16 PM

I encountered the exact same behavior. In my case the problem was due to having two colons after the "Monitor" keyword. This caused Splunk to interpret my path as ":\D:\blah\blah*"

These commands are useful to see what files / directories are matching the wildcards:

$SPLUNK_HOME/bin/splunk list monitor

$SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!