I need to configure inputs.conf for forwarding a file like below,
G:\BlackBerry Enterprise Server\Logs\20140827\MCLCOVBB61VWIN_MAGT_01_20140827_0001.txt
my inputs.conf looks like this,
[monitor://G:\BlackBerry Enterprise Server\Logs\%Y%m%d\*_MAGT_*_%Y%m%d_*.txt]
disabled = false
followTail = 0
index = coreops
sourcetype = bes_magt
Anything iam doing wrong here, i dont see data coming into splunk, how do i check whether the given regex is parsing out for the right log file?
You should probably try something like
[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]
Strptime date variables are not supported in monitor-stanzas.
/K
You should probably try something like
[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]
Strptime date variables are not supported in monitor-stanzas.
/K
Thank you everyone for responding, above solutions worked for me.
And you can add whitelist attribute to index files with specific regex.
e.g.
[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]
...
whitelist = *_MAGT_*_\d{8}_*.txt$
looks like it is not understanding date variables in the folder path. After running that command, this is what i see in the output,
Monitored Files:
$SPLUNK_HOME\etc\splunk.version
G:\BlackBerry Enterprise Server\Logs\%Y%m%d\
On the forwarder, execute splunk list monitor command and see if the expected files are being monitered.