Is it possible to monitor and index files in a fol...

Michael_Ekkert · ‎10-19-2016

Hi,

I'm using Splunk 6.1.3 for Windows and have an issue with indexing files that reside in a folder that contains periods in the folder name.

An example is D:\Application\Logs\Z.Y.Z\APP01_13776_20161019.log

I have attempted a few different syntax formats listed below and will not index the files. Any suggestions as to how I can identify why it's not indexing these APP*.log files?

[monitor://D:\Application\Logs\...\APP*.log]
crcSalt = 
ignoreOlderThan = 2d
index = indexname
sourcetype = sourcetypename
recursive=false
disabled=false

[monitor://D:\Application\Logs\X.Y.Z\APP*.log]
crcSalt = 
ignoreOlderThan = 2d
index = indexname
sourcetype = sourcetypename
recursive=false
disabled=false

Thanks for any assistance.

ddrillic · ‎10-19-2016

Why the extra slash at

[monitor://D:\Application\Logs\\...\APP*.log]

[monitor://D:\Application\Logs\...\APP*.log]

should do it...

What about?

[monitor://D:\Application\Logs\*\APP*.log]

Michael_Ekkert · ‎10-19-2016

Yeah.. I just tried that not too long ago and the wildcard doesn't pickup either.. the extra "\" was due to the way the edit rendered and didn't display in the preview correctly.. I've edited the post.

ddrillic · ‎10-19-2016

And if you put the Z.Y.Z in the monitor, does it work?

Michael_Ekkert · ‎10-19-2016

If I explicitly added the full name, it works -- I was looking to avoid having to create 32 stanzas.. I presume it's a limitation of the matching logic or something.

i'll just go down the creation route.. thanks.

ddrillic · ‎10-19-2016

It doesn't make any sense. A limitation - maybe a bug ; -) smells like a bug for sure...

Is it possible to monitor and index files in a folder that has multiple periods in the name?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services