Getting Data In

Why does inputs.conf does not respect the use of a wildcard (batch*) in my monitor stanza?

leochan
Explorer

I want to monitor the following paths. I tried these two stanzas and neither of them work.

In the documentation - "The asterisk () matches anything in a single path segment;" Any suggestion why **batch** does not work?

Expected directories to monitor:

/opt/apps/aaa/bbb/ccc/batch/logs
/opt/apps/aaa/bbb/ccc/batch2/logs

Directory structure:

/opt/apps/aaa/bbb/ccc/batch/logs
/opt/apps/aaa/bbb/ccc/junk/logs
/opt/apps/aaa/bbb/ccc/batch2/logs

Does not work

[monitor:///opt/apps/aaa/bbb/ccc/batch*/logs]
[monitor:///opt/apps/aaa/bbb/ccc/batch(\d?)+/logs]

./splunk list monitor

Monitored Directories:
[No directories monitored.]
Monitored Files:
[/var/log]
0 Karma
1 Solution

stephanefotso
Motivator

Because of files extention specification
Here is what you was suppose to do for example, to monitor .log files:

[monitor:///opt/apps/aaa/bbb/ccc/batch*/logs]
whitelist=\.log$

or

[monitor:///opt/apps/aaa/bbb/ccc/batch*/logs/*.log]
SGF

View solution in original post

0 Karma

stephanefotso
Motivator

Because of files extention specification
Here is what you was suppose to do for example, to monitor .log files:

[monitor:///opt/apps/aaa/bbb/ccc/batch*/logs]
whitelist=\.log$

or

[monitor:///opt/apps/aaa/bbb/ccc/batch*/logs/*.log]
SGF
0 Karma

leochan
Explorer

I am able to get it working with

[monitor:///opt/apps/aaa/bbb/ccc/batch*/logs/*]

Anyone know why?

0 Karma

techish
New Member

Exactly same happened for me, it was not monitoring the log files with wildcard in the path

[monitor://D:\applications\jee\*\logs]
whitelist = \.log.*$|\.txt.*$|\.traceout.*$
crcSalt = <SOURCE>
disabled = false
followTail = false
ignoreOlderThan = 7d
index = websphere

08-17-2016 14:42:00.982 +1000 INFO TailingProcessor - Parsing configuration stanza: monitor://D:\applications\jee*\logs.
08-17-2016 14:42:00.982 +1000 INFO TailingProcessor - Adding watch on path: D:\applications\jee.

But it started working when I added * at the end 🙂

[monitor://D:\applications\jee\*\logs\*]
whitelist = \.log.*$|\.txt.*$|\.traceout.*$
crcSalt = <SOURCE>
disabled = false
followTail = false
ignoreOlderThan = 7d
index = websphere
0 Karma

techish
New Member

Just figured out it is not about having * at the end of directory path , it needs \ at the end of directory path. So following also works

[monitor://D:\applications\jee\*\logs\]
 whitelist = \.log.*$|\.txt.*$|\.traceout.*$
 crcSalt = <SOURCE>
 disabled = false
 followTail = false
 ignoreOlderThan = 7d
 index = websphere
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...