Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monitoring the directories recursively

sushma7
Path Finder
‎03-13-2014 11:08 PM

Hi,

I have a directory on E drive by name SPLUNK. It has 3 to 4 subdirectories in it and under each subdirectory there almost 10 files with names as SystemOut_14.2.2011_1, SystemOut_14.2.2011_2 etc..
But in my SPLUNK only monitors the first file in each of the subdirectory, not the rest, why is it happening so?

Appreciate your help!

Regards,
Sushma.

Tags (1)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-14-2014 11:29 PM

Hi sushma7,

You monitor path is wrong, use this instead

[monitor://E:\Splunk]

Also read the docs on how to monitor files and directories and about monitorNoHandle is special.

Cheers, MuS

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-16-2014 11:29 PM

permission troubles perhaps? check splunkd.log for any messages related to this directory and/or those files

0 Karma
Reply

chandanghoshCTL
Explorer
‎08-17-2018 12:35 PM

I had this problem n fix it .
looks like you already doing it right but my mistake was type ..\ , should ...\ (3 dots)
[monitor://C:\inetpub\logs\LogFiles...*.log]

0 Karma
Reply

linu1988
Champion
‎03-16-2014 11:36 AM

whats the extension of the files? why don't you put the names explicitly?

[monitor://E:\Splunk\...\*.log]

0 Karma
Reply

sushma7
Path Finder
‎03-16-2014 08:11 AM

Any suggestions please?

0 Karma
Reply

sushma7
Path Finder
‎03-15-2014 06:13 AM

Sorry to say this, it was my typo error I gave the same thing that you have mentioned i.e. [monitor://E:\Splunk]
disabled=false
recursive=true

But why is it not viewing my other log files? Is there any UNC restriction in SPLUNK? When it can read a file by SystemOut_14.2.2011_1 in one of the sub directory, why is it not viewing the other 9 log files whose name just differs by last digitSystemOut_14.2.2011_2 etc...

0 Karma
Reply

sushma7
Path Finder
‎03-14-2014 09:47 PM

Need help!

0 Karma
Reply

sushma7
Path Finder
‎03-13-2014 11:13 PM

Under inputs.conf file i just enetered [monitor:///E:\Splunk]
disabled =false
recursive = true

Is thereanything more I need to enter?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...