Splunk Search

Monitoring the directories recursively

sushma7
Path Finder

Hi,

I have a directory on E drive by name SPLUNK. It has 3 to 4 subdirectories in it and under each subdirectory there almost 10 files with names as SystemOut_14.2.2011_1, SystemOut_14.2.2011_2 etc..
But in my SPLUNK only monitors the first file in each of the subdirectory, not the rest, why is it happening so?

Appreciate your help!

Regards,
Sushma.

Tags (1)
0 Karma

MuS
Legend

Hi sushma7,

You monitor path is wrong, use this instead

[monitor://E:\Splunk]

Also read the docs on how to monitor files and directories and about monitorNoHandle is special.

Cheers, MuS

0 Karma

MuS
Legend

permission troubles perhaps? check splunkd.log for any messages related to this directory and/or those files

0 Karma

chandanghoshCTL
Explorer

I had this problem n fix it .
looks like you already doing it right but my mistake was type ..\ , should ...\ (3 dots)
[monitor://C:\inetpub\logs\LogFiles...*.log]

0 Karma

linu1988
Champion

whats the extension of the files? why don't you put the names explicitly?

[monitor://E:\Splunk\...\*.log]

0 Karma

sushma7
Path Finder

Any suggestions please?

0 Karma

sushma7
Path Finder

Sorry to say this, it was my typo error I gave the same thing that you have mentioned i.e. [monitor://E:\Splunk]
disabled=false
recursive=true

But why is it not viewing my other log files? Is there any UNC restriction in SPLUNK? When it can read a file by SystemOut_14.2.2011_1 in one of the sub directory, why is it not viewing the other 9 log files whose name just differs by last digitSystemOut_14.2.2011_2 etc...

0 Karma

sushma7
Path Finder

Need help!

0 Karma

sushma7
Path Finder

Under inputs.conf file i just enetered [monitor:///E:\Splunk]
disabled =false
recursive = true

Is thereanything more I need to enter?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...