Splunk Search

How to write regex for path in inputs.conf?

anoopambli
Communicator

I need to configure inputs.conf for forwarding a file like below,

G:\BlackBerry Enterprise Server\Logs\20140827\MCLCOVBB61VWIN_MAGT_01_20140827_0001.txt

my inputs.conf looks like this,

[monitor://G:\BlackBerry Enterprise Server\Logs\%Y%m%d\*_MAGT_*_%Y%m%d_*.txt]
disabled = false
followTail = 0
index = coreops
sourcetype = bes_magt

Anything iam doing wrong here, i dont see data coming into splunk, how do i check whether the given regex is parsing out for the right log file?

Tags (2)
1 Solution

kristian_kolb
Ultra Champion

You should probably try something like

[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]

Strptime date variables are not supported in monitor-stanzas.

/K

View solution in original post

kristian_kolb
Ultra Champion

You should probably try something like

[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]

Strptime date variables are not supported in monitor-stanzas.

/K

anoopambli
Communicator

Thank you everyone for responding, above solutions worked for me.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

And you can add whitelist attribute to index files with specific regex.

e.g.

[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]
...
whitelist = *_MAGT_*_\d{8}_*.txt$

anoopambli
Communicator

looks like it is not understanding date variables in the folder path. After running that command, this is what i see in the output,

Monitored Files:
$SPLUNK_HOME\etc\splunk.version
G:\BlackBerry Enterprise Server\Logs\%Y%m%d\

0 Karma

pradeepkumarg
Influencer

On the forwarder, execute splunk list monitor command and see if the expected files are being monitered.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...