Solved: How to write regex for path in inputs.conf?

anoopambli · ‎08-27-2014

I need to configure inputs.conf for forwarding a file like below,

G:\BlackBerry Enterprise Server\Logs\20140827\MCLCOVBB61VWIN_MAGT_01_20140827_0001.txt

my inputs.conf looks like this,

[monitor://G:\BlackBerry Enterprise Server\Logs\%Y%m%d\*_MAGT_*_%Y%m%d_*.txt]
disabled = false
followTail = 0
index = coreops
sourcetype = bes_magt

Anything iam doing wrong here, i dont see data coming into splunk, how do i check whether the given regex is parsing out for the right log file?

kristian_kolb · ‎08-27-2014

You should probably try something like

[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]

Strptime date variables are not supported in monitor-stanzas.

/K

kristian_kolb · ‎08-27-2014

You should probably try something like

[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]

Strptime date variables are not supported in monitor-stanzas.

/K

anoopambli · ‎08-29-2014

Thank you everyone for responding, above solutions worked for me.

somesoni2 · ‎08-27-2014

And you can add whitelist attribute to index files with specific regex.

e.g.

[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]
...
whitelist = *_MAGT_*_\d{8}_*.txt$

anoopambli · ‎08-27-2014

looks like it is not understanding date variables in the folder path. After running that command, this is what i see in the output,

Monitored Files:
$SPLUNK_HOME\etc\splunk.version
G:\BlackBerry Enterprise Server\Logs\%Y%m%d\

pradeepkumarg · ‎08-27-2014

On the forwarder, execute splunk list monitor command and see if the expected files are being monitered.

How to write regex for path in inputs.conf?