Dashboards & Visualizations

monitor file with dynamic directiory name

wickett
New Member

I have the following folder listing in C:\Resources\Directory\ which the naming of the folder are dynamic. It changes dynamically when logs are created with this type of prefix (dynamic).(dynamic).(Fixed)

Example :
(dynamic) . (dynamic) . (Fixed)
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.DiagnosticStore
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.localInstallDirectory
0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.LogStorage

Questions :

  • Let say I want to index all files under 0068f67b289b43dfb5302cb26cb9e536.KeyValidationWebRole.DiagnosticStore. Can I structure my inputs.conf monitor stanza using wildcards example for all new created dynamic foldername ? :
[monitor://C:\Resources\Directory\*.*.DiagnosticStore]
disabled = false
followTail = 0
sourcetype = mysourcetype
  • Let say in my inputs.conf I index entire folder under C:\Resources\Directory but there is several files under *.KeyValidationWebRole.DiagnosticStore which needs props.conf to change the encoding. How do I write the config stanza that need the encoding exception ?
0 Karma

tgow
Splunk Employee
Splunk Employee

Looking at the online docs I see the following:

Note concerning wildcards and monitor:

  • You can use wildcards to specify your input path for monitored input. Use "..." for recursive directory matching and "*" for wildcard matching in a single directory segment.
  • "..." recurses through directories. This means that /foo/.../bar will match foo/bar, foo/1/bar, foo/1/2/bar, etc.
  • You can use multiple "..." specifications in a single input path. For example: /foo/.../bar/...
  • The asterisk () matches anything in a single path segment; unlike "...", it does not recurse. For example, /foo//bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/1/2/bar . A second example: /foo/m*r/bar matches /foo/bar, /foo/mr/bar, /foo/mir/bar, /foo/moor/bar, etc.
  • You can combine "" and "..." as required: foo/.../bar/ matches any file in the bar directory within the specified path.

Are there files under the DiagnosticStore directory?

[monitor://C:\Resources\Directory...DiagnosticStore...]

Does this work.

Here is the link to more info in the Docs:

http://docs.splunk.com/Documentation/Splunk/4.2.4/admin/Inputsconf

0 Karma

tgow
Splunk Employee
Splunk Employee

On the first question, I would use the "..." syntax in your monitor stanza. For instance:

[monitor://C:\Resources\Directory...DiagnosticStore]

On the second question you can use the "..." syntax as well in the prop.conf to pull out only certain files and give them specific encoding. For instance:

[source::...KeyValidationWebRole.DiagnosticStore...]
sourcetype=awesome

Might help to see what the file names under this directory.

0 Karma

wickett
New Member

Tried your solution and it does not work

Not working

[monitor://C:\Resources\Directory\ ..DiagnosticStore]

[monitor://C:\Resources\Directory\...DiagnosticStore]

[monitor://C:\Resources\Directory\*DiagnosticStore]

Any suggestions ??

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...