Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is wildcard not working in log file name for input.conf?

phamxuantung
Communicator
‎03-21-2023 08:54 PM

Hello, I have the input.conf for several log files as

 

[monitor:///u01/mnt/log-1/data/trafficmanager/access/*]
index = myindex
sourcetype = csvtype
initCrcLength = 1048576

 

The log file name is structured as access_worker_*_YYYY_mm_dd.log. For example: access_worker_5_03_21.log, access_worker_6_03_21.log, access_worker_5_03_20.log, etc.

The stanza that I put in don't work so I try for a specific file name, such as

 

[monitor:///u01/mnt/log-1/data/trafficmanager/access/access_worker_5_03_21.log]
index = myindex
sourcetype = csvtype
initCrcLength = 1048576

 

 Then the log was pull in no problem. The problem that I see is the way I use my wildcard, somehow don't catch all the log file that I want to monitor.

Can anyone point out how to fix this problem?

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2023 01:06 AM

Hi @phamxuantung ,

there's no reason for this behavior,

please try with this header:

[monitor:///u01/mnt/log-1/data/trafficmanager/access/access_worker_*.log]

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-21-2023 10:02 PM

Hi @phamxuantung ,

are you sure that the problem is the filename?

check if the not read file has the same content (event if a different file name) of an already ingested file, because Splunk doesn't index twice a file.

If the files to read always have diferent filename, you could try to add the following option:

crcSalt = <SOURCE>

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

phamxuantung
Communicator
‎03-22-2023 12:02 AM

The files always have different name and the content are also different. The different between my 2 config (where one work and one don't) is the path and file name

[monitor:///u01/mnt/log-1/data/trafficmanager/access/*]

-> This one don't work

vs

[monitor:///u01/mnt/log-1/data/trafficmanager/access/access_worker_5_03_21.log]

-> This does but can only index that specific file "access_worker_5_03_21.log" but not the other with similar name.

So the problem I think lie in how I use my wildcard.

I added crcSalt =<SOURCE> but it don't work.

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2023 01:06 AM

Hi @phamxuantung ,

there's no reason for this behavior,

please try with this header:

[monitor:///u01/mnt/log-1/data/trafficmanager/access/access_worker_*.log]

Ciao.

Giuseppe

Reply
Solved! Jump to solution

phamxuantung
Communicator
‎03-22-2023 01:25 AM

Your stanza work and the log files are indexed as normal. I just wonder why Splunk can't catch all file with the wildcard, so weird.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2023 01:33 AM

Hi @phamxuantung ,

as I said it's a strange behavior that I never experienced before, anyway I'm happy that you solved your issue.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...