Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Wildcard not working in monitor input
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wildcard not working in monitor input
I used following syntax to monitor a file input in windows
[monitor://D:\app*\logs\a*.log]
The above stanza is not indexing any file. Getting the below error in splnkd.log on forwarder
FilesystemChangeWatcher - error getting attributes of path "\D:": The filename, directory name, or volume label syntax is incorrect.
But when I use following input, it works.
[monitor://D:\appdev\logs\a*.log]
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
[monitor://D:\*\log\a*.log]
whitelist = D:\app*\log\a*.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Thanks for the reply.
The wildcard just after the root directory is not working in Splunk. Could you please check at your end if this works?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
can you try this
[monitor://D:\app*\log\]
index = <your_index>
sourcetype = <your_sourcetype>
whitelist = a*\.log$
See also: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
It's not working. The reason is that I provided wildcard just after the drive D:\app*\log. when we provide an input like following, it works.
[monitor://D:\appdev\l*]
Please confirm if there is any other way to provide wildcard to a folder after D:\
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well
you can also play with the path, can you change the directory to something like D:\newdir\appxxx and then recursively monitor the newdir ?
[monitor://D:\...\log\a*.log]
whitelist = D:\app*\
see also https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Specifyinputpathswithwildcards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, we cannot change the directory as it is on forwarder and it is generated by an application.
October Community Champions: A Shoutout to Our Contributors!
Community Content Calendar, November Edition
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
