Monitoring Splunk

Log File input monitor not working

Path Finder

I have a UF 6.0.1 installed on a Windows 2012 server. There are some log files on the source server at below path

D:\Program Files (x86)\Proficy\Proficy Server\LogFiles

The format of the file is CalculationMgr-xx(yy).Log where x and y are numeric values and the log file is rolling file each day, each service restart etc.

I have tried multiple monitor stanza like below using whitelist and direct file monitor etc.
[monitor://D:\Program Files (x86)\Proficy\Proficy Server\LogFiles\CalculationMgr*.log]

[monitor://D:\Program Files (x86)\Proficy\Proficy Server\LogFiles]

source = Log
sourcetype = CalculationMgr
recursive = false

whitelist = CalculationMgr-\d+(\d+).log$

whitelist = CalculationMgr*\.log$

followTail = 0
disabled = 0

But UF is not sending data for the file and I am getting below error in Splunkd

04-04-2018 08:34:03.983 -0400 DEBUG TailingProcessor - Not using stanza for this item (File did not match whitelist '^D:\\Program\ Files\ (x86)\\Proficy\\Proficy\ Server\\LogFiles\\CalculationMgr[^\]*.log$'.).

04-04-2018 08:34:03.982 -0400 DEBUG TailReader - Returning disposition=IGNORE_THIS_PATH for file=D:\Program Files (x86)\Proficy\Proficy Server\LogFiles\CalculationMgr-1023(11).Log

I tried various combinations in stanza but none worked. There are also CalculationMgr.shw files in the same folder which need to be ignored. But in the log I am seeing entry for such files.

Can any one help me with right stanza to monitor this file?

Tags (1)
0 Karma

Path Finder

No success. Still getting below error

Not using stanza for this item (File did not match whitelist '^D:\Program\ Files\ (x86)\Proficy\Proficy\ Server\LogFiles\CalculationMgr[^\]*.log$'.).

0 Karma



please try the below stanza in your inputs.conf and let me know the update.

[monitor://D:\Program Files (x86)\Proficy\Proficy Server\LogFiles\CalculationMgr*.log]
disabled = false
index = Give the name of the Index
whitelist = (?i)CalculationMgr\W\w+\W\w+\W+\w+
blacklist = (?i)CalculationMgr\W\w+
sourcetype = CalculationMgr
recursive = false

Thanks | RD

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...