Inputs.conf and special characters

rmorlen · ‎11-14-2013

I have an inputs.conf file that had a monitor statement like:

[monitor:///*_ECM/A/doc/abc.log]

Files are NOT being picked up. If I get rid of the * and put a file name like:

[monitor:///DOC_ECM/A/doc/abc.log]

it works fine.

How do I escape out the "_" or use a Regex to get the correct filenames?

lguinn2 · ‎11-15-2013

This seems like a bug, based on what you have described here. I would file a support ticket.

But I think there may also be a work-around.

First, for the stanza, do either of these work?

[monitor:///*ECM/A/doc/abc.log]

[monitor:///*/A/doc/abc.log]

If you can make it work for a wider selection of directories (I know that isn't optimal), then you can restrict using the whitelist:

[monitor:///*ECM/A/doc/abc.log]
whitelist=^/.*?_ECM/

This whitelist should work for either of the stanzas above. Whitelists are regular expressions, stanzas are not.

lguinn2 · ‎11-15-2013

Thanks - let us know how it works out!

rmorlen · ‎11-15-2013

Submitted a ticket to support.

Tried your suggestions above and it did NOT work.

Even looking in the logs I see where Splunk is reading the values from inputs.conf but no files get picked up and show up in WatchedFile.

rmorlen · ‎11-15-2013

Linux, not Windows.

lukejadamec · ‎11-14-2013

Is this windows? If so, you cannot use wildcards at the root.