Wildcard to monitor in inputs.conf

SS1 · ‎03-11-2021

Hi,

I have below log files under path /path/to/app/

usera-x.log

userb-x.log

userc-x.log

userd-y.log

usere-y.log

userf-z.log

userg-z.log

.

etc

To extract *-x.log i am using below inputs.conf, but the data isnt being indexed into splunk. Is there any issue with my inputs.conf

[monitor://E:\path\to\app\*-x.log]
disabled = 0
index = test
sourcetype = metric

Vardhan · ‎03-13-2021

Hi,

Can you try with below syntax.

[monitor://E:\path\to\app\*x.log]
disabled = 0
index = test
sourcetype = metric

verify the path properly and check the internal logs are coming from the forwarder or not? And also is there any error in the splunkd.log ?

SS1 · ‎03-11-2021

@woodcock @lguinn2

richgalloway · ‎03-11-2021

Did you restart the forwarder after modifying inputs.conf?

---
If this reply helps you, Karma would be appreciated.

SS1 · ‎03-11-2021

Yes, I have restarted the forwarder but no luck. I am wondering if *- is causing any problems?

DaClyde · ‎03-11-2021

The * shouldn't be a problem. We use it extensively in our monitor stanzas, both as parts of filenames and as path segments. Has your test index already been created?

Wildcard to monitor in inputs.conf

indexer

inputs.conf

universal forwarder

whitelist

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk