I have an inputs.conf file that had a monitor statement like:
[monitor:///*_ECM/A/doc/abc.log]
Files are NOT being picked up. If I get rid of the * and put a file name like:
[monitor:///DOC_ECM/A/doc/abc.log]
it works fine.
How do I escape out the "_" or use a Regex to get the correct filenames?
This seems like a bug, based on what you have described here. I would file a support ticket.
But I think there may also be a work-around.
First, for the stanza, do either of these work?
[monitor:///*ECM/A/doc/abc.log]
[monitor:///*/A/doc/abc.log]
If you can make it work for a wider selection of directories (I know that isn't optimal), then you can restrict using the whitelist:
[monitor:///*ECM/A/doc/abc.log]
whitelist=^/.*?_ECM/
This whitelist should work for either of the stanzas above. Whitelists are regular expressions, stanzas are not.
Thanks - let us know how it works out!
Submitted a ticket to support.
Tried your suggestions above and it did NOT work.
Even looking in the logs I see where Splunk is reading the values from inputs.conf but no files get picked up and show up in WatchedFile.
Linux, not Windows.
Is this windows? If so, you cannot use wildcards at the root.