Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

wildcard not working in inputs.conf

a212830
Champion
‎03-05-2014 05:54 AM

Hi,

I need to monitor a single file that exists in multiple directories, which can change without my notice, but will follow the same format. I tried setting up a wildcard, but it's not working.

The directory structure is:

/pwstcdwlk*/log/*/gpws_error.log

The filename is always gpws_error.log, and the filesystem will always begin with /pwstcdwlk, but the segment after log can change and be almost anything.

I had the following, but it did not work. 

[monitor:///pwstcdwlk*/log/.../gpws_error.log]
recursive = yes
disabled = false
followTail = false
sourcetype  = log4j
index =  throwaway
Reply
1 Solution
Solved! Jump to solution
Solution

a212830
Champion
‎03-06-2014 08:06 AM

Looks like a bug in 5.01 - upgraded to 5.04, and everything worked.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-16-2014 12:06 PM

FWIW, I also encountered this in 4.3.3.3 -- not sure if any other versions affected.

[monitor:///*dir*/logs/*/*.log]

Did not work properly. Something about the wildcard at the base directory.

I had to use

[monitor:///actualdirname/logs/*/*.log]
0 Karma
Reply
Solved! Jump to solution
Solution

a212830
Champion
‎03-06-2014 08:06 AM

Looks like a bug in 5.01 - upgraded to 5.04, and everything worked.

Reply
Solved! Jump to solution

a212830
Champion
‎03-06-2014 05:14 AM

Lots of data available, with multiple logs. The splunkd.log isn't showing any errors - just this message: 03-06-2014 08:02:58.235 -0500 INFO TailingProcessor - Parsing configuration stanza: monitor:///pws*/log/.../gpws_error.log.

Here's some sampleoutput of an ls command:

-rw-rw-r-- 1 blahblah blahblah 165 Mar 5 08:15 /pwstcawlk3/log/PROCESSMONITOR/gpws_error.log
-rw-rw-r-- 1 blahblah blahblah 180874 Mar 5 10:22 /pwstcawlk2/log/HTTPCONTROLLERARCH/gpws_error.log

Those files (and others) are not being indexed. BTW - this is on AIX, if that matters.

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎03-05-2014 07:54 AM

Do you see any error in the logs. If thats the case then your stanza looks right to me. There is no data being indexed from the log file? How many lines does the log file have?

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎03-05-2014 06:44 AM

The ones that I want all begin with pwstcdwlk, but it can change after that - could be a 1, could be abc... - out of my control. I don't want to make it wide open, as other files could be grabbed.

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎03-05-2014 06:23 AM

You mentioned a specific directory structure. Do you have multiple directory structures like that?

try [monitor:///.../log/.../gpws_error.log]

... -> is a recursive wildcard. What you have as of now should also work if there is something like pwstcdwlkABC,pwstcdwlk123 etc.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...