How do I wildcard any windows drive letter in the inputs.conf stanza below?
inputs.conf
[monitor://[A-Z]:\Data\Disk1\*\MSSQL\Log\ERRORLOG*]
sourcetype = mssql:errorlog
Causes the below error...
07-16-2015 10:53:57.601 -0400 WARN TailingProcessor - Input stanza path, '[A-Z]:\\Data\\Disk1\\*\\MSSQL\\Log\\ERRORLOG*' is not absolute. This is a configuration error and may not work / break things. Change this path to an absolute path.
So this gets into how Splunk actually identifies what it needs to monitor. Take a more traditional monitor stanza like:
[monitor://C:\Data\Disk1\*\MSSQL\Log\ERRORLOG*]
When splunk sees the above, it goes to the deepest full path given C:\Data\Disk1\
and turns the rest of the stanza name into a regex-based whitelist which is checked against all children of the given path.
When your monitor stanza starts with a wildcard, it has no base path to enumerate in the first place. (Windows doesn't have an equivalent to /
) Even if it did, this is a bad idea as Splunk will need to enumerate every single file on a system to see if it is a regex match of the desired path.
To add an actual solution, just put up to 26 stanzas in your inputs.conf.
Yes, apologies I thought this was implied in my answer.
It was, no worries.