Splunk Enterprise

File monitor wildcard not matching?

jdmclemore
Path Finder

I'm trying to monitor a catalina logs that look like this:

/home/loader/logs/catalina.2017-09-01.log

with this file monitor stanza:

[monitor:///home/loader/logs/catalina.*.log]
disabled = false
sourcetype = catalina

But I'm not seeing any data. Any reason why that wildcard would not match that file?

Tags (1)
0 Karma
1 Solution

burwell
SplunkTrust
SplunkTrust
  1. Like Woodcock suggests, be sure you have index=main on your search
  2. For a quick search, change the time period to All Time. Perhaps you are having time parsing issues. Oftentimes I find my data is in Splunk. I am just looking in the wrong time interval.
  3. Look in the forwarder logs when you restart Splunk and make sure that the forwarder is monitoring the directory you expect
  4. Check to make sure that the user who runs Splunk can read the logs.

View solution in original post

0 Karma

burwell
SplunkTrust
SplunkTrust
  1. Like Woodcock suggests, be sure you have index=main on your search
  2. For a quick search, change the time period to All Time. Perhaps you are having time parsing issues. Oftentimes I find my data is in Splunk. I am just looking in the wrong time interval.
  3. Look in the forwarder logs when you restart Splunk and make sure that the forwarder is monitoring the directory you expect
  4. Check to make sure that the user who runs Splunk can read the logs.
0 Karma

jdmclemore
Path Finder

Thanks for the suggestions...turned out to be user error. 🙂 My wildcard DID match the file name.

0 Karma

woodcock
Esteemed Legend

You haven't told it what index to go to. Try this for a test:

[monitor:///home/loader/logs/catalina.*.log]
disabled = false
sourcetype = catalina
index = main
0 Karma

ddrillic
Ultra Champion

It should. For sanity check, I would put [monitor:///home/loader/logs/catalina.2017-09-01.log] if you haven't done it yet... index=main?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...