Getting Data In

wildcard not working in inputs.conf

a212830
Champion

Hi,

I need to monitor a single file that exists in multiple directories, which can change without my notice, but will follow the same format. I tried setting up a wildcard, but it's not working.

The directory structure is:

/pwstcdwlk*/log/*/gpws_error.log

The filename is always gpws_error.log, and the filesystem will always begin with /pwstcdwlk, but the segment after log can change and be almost anything.

I had the following, but it did not work.

[monitor:///pwstcdwlk*/log/.../gpws_error.log]
recursive = yes
disabled = false
followTail = false
sourcetype  = log4j
index =  throwaway
1 Solution

a212830
Champion

Looks like a bug in 5.01 - upgraded to 5.04, and everything worked.

View solution in original post

the_wolverine
Champion

FWIW, I also encountered this in 4.3.3.3 -- not sure if any other versions affected.

[monitor:///*dir*/logs/*/*.log]

Did not work properly. Something about the wildcard at the base directory.

I had to use

[monitor:///actualdirname/logs/*/*.log]
0 Karma

a212830
Champion

Looks like a bug in 5.01 - upgraded to 5.04, and everything worked.

a212830
Champion

Lots of data available, with multiple logs. The splunkd.log isn't showing any errors - just this message: 03-06-2014 08:02:58.235 -0500 INFO TailingProcessor - Parsing configuration stanza: monitor:///pws*/log/.../gpws_error.log.

Here's some sampleoutput of an ls command:

-rw-rw-r-- 1 blahblah blahblah 165 Mar 5 08:15 /pwstcawlk3/log/PROCESSMONITOR/gpws_error.log
-rw-rw-r-- 1 blahblah blahblah 180874 Mar 5 10:22 /pwstcawlk2/log/HTTPCONTROLLERARCH/gpws_error.log

Those files (and others) are not being indexed. BTW - this is on AIX, if that matters.

0 Karma

theouhuios
Motivator

Do you see any error in the logs. If thats the case then your stanza looks right to me. There is no data being indexed from the log file? How many lines does the log file have?

0 Karma

a212830
Champion

The ones that I want all begin with pwstcdwlk, but it can change after that - could be a 1, could be abc... - out of my control. I don't want to make it wide open, as other files could be grabbed.

0 Karma

theouhuios
Motivator

You mentioned a specific directory structure. Do you have multiple directory structures like that?

try [monitor:///.../log/.../gpws_error.log]

... -> is a recursive wildcard. What you have as of now should also work if there is something like pwstcdwlkABC,pwstcdwlk123 etc.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...