Wildcard to monitor in inputs.conf

SS1 · ‎03-11-2021

Hi,

I have below log files under path /path/to/app/

usera-x.log

userb-x.log

userc-x.log

userd-y.log

usere-y.log

userf-z.log

userg-z.log

.

etc

To extract *-x.log i am using below inputs.conf, but the data isnt being indexed into splunk. Is there any issue with my inputs.conf

[monitor://E:\path\to\app\*-x.log]
disabled = 0
index = test
sourcetype = metric

Vardhan · ‎03-13-2021

Hi,

Can you try with below syntax.

[monitor://E:\path\to\app\*x.log]
disabled = 0
index = test
sourcetype = metric

verify the path properly and check the internal logs are coming from the forwarder or not? And also is there any error in the splunkd.log ?

SS1 · ‎03-11-2021

@woodcock @lguinn2

richgalloway · ‎03-11-2021

Did you restart the forwarder after modifying inputs.conf?

---
If this reply helps you, Karma would be appreciated.

SS1 · ‎03-11-2021

Yes, I have restarted the forwarder but no luck. I am wondering if *- is causing any problems?

DaClyde · ‎03-11-2021

The * shouldn't be a problem. We use it extensively in our monitor stanzas, both as parts of filenames and as path segments. Has your test index already been created?

Wildcard to monitor in inputs.conf

indexer

inputs.conf

universal forwarder

whitelist

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?