Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to write regex for path in inputs.conf?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to configure inputs.conf for forwarding a file like below,
G:\BlackBerry Enterprise Server\Logs\20140827\MCLCOVBB61VWIN_MAGT_01_20140827_0001.txt
my inputs.conf looks like this,
[monitor://G:\BlackBerry Enterprise Server\Logs\%Y%m%d\*_MAGT_*_%Y%m%d_*.txt]
disabled = false
followTail = 0
index = coreops
sourcetype = bes_magt
Anything iam doing wrong here, i dont see data coming into splunk, how do i check whether the given regex is parsing out for the right log file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should probably try something like
[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]
Strptime date variables are not supported in monitor-stanzas.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should probably try something like
[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]
Strptime date variables are not supported in monitor-stanzas.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you everyone for responding, above solutions worked for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And you can add whitelist attribute to index files with specific regex.
e.g.
[monitor://g:\blackberry enterprise server\logs\*\*MAGT*.txt]
...
whitelist = *_MAGT_*_\d{8}_*.txt$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like it is not understanding date variables in the folder path. After running that command, this is what i see in the output,
Monitored Files:
$SPLUNK_HOME\etc\splunk.version
G:\BlackBerry Enterprise Server\Logs\%Y%m%d\
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the forwarder, execute splunk list monitor command and see if the expected files are being monitered.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
