Solved: inputs.conf wildcard Windows log

balcv · ‎11-07-2019

I have log files coming in from a Windows Server and file I can receive the required files when I specify the specific filename however I need to use a wildcard and it does not seem to be working.

The log file I need to receive is named d:[path]\localhost_access_log.2019-11-08.txt but I would like to replace the date section with a wild card such as d:[path]\localhost_access_log.*.txt however the log stops when I use the wild card.

My inputs.conf looks like:

[monitor://D:\[path]\logs\]
whitelist=localhost_access_log*txt
disabled = 0

I've tried numerous variations such as * ... etc as I've seen referenced in various post, however none have worked.
When I include the exact file name in the the monitor section, the log works fine, however I need the date to be wildcarded.

Any suggestions greatly appreciated.

ivanreis · ‎11-10-2019

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

View solution in original post

ivanreis · ‎11-10-2019

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

woodcock · ‎11-09-2019

Like this:

[monitor://D:\[path]\logs\localhost_access_log.*.txt]
disabled = 0

The reason that you think that it is not working is because you are probably testing it wrong. By default, Splunk will NOT resend a file just because you change the name; you have to change the content, too. Put this setting in place, then restart Splunk there, then manually create a new file that should be forwarded and fill it with anything but what is already there. It will work.

p_gurav · ‎11-07-2019

Can you try:

 [monitor://D:\[path]\logs\localhost_access_log*.txt]
 disabled = 0

Also, please find here more examples of wildcards.

balcv · ‎11-07-2019

Thanks p_gurav . This has not changed the result. I still get no data being returned.

ivanreis · ‎11-07-2019

Try this:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d[^-].*.txt$
disabled = 0

https://regex101.com/r/vXzgcK/1

if it did not work, you have to troubleshoot the input.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Troubleshoottheinputprocess

balcv · ‎11-08-2019

Looks like this worked. Thanks very much.

ivanreis · ‎11-10-2019

if my solution worked, please accept the answer.

balcv · ‎11-10-2019

Your solution was no provided in the "Answer" section, only as a comment so I am unable to accept the answer. IF you copy it in the "Post your answer". I can then accept it is correct.

ivanreis · ‎11-10-2019

I convert it to answer. thanks

ivanreis · ‎11-07-2019

try this one:
[monitor://D:[path]\logs]
whitelist=localhost_access_log.\d{4}-\d{2}-\d{2}.txt
disabled = 0

balcv · ‎11-07-2019

No, it appears not to be working either ivanreis.

inputs.conf wildcard Windows log

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation

inputs.conf wildcard Windows log

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...