Splunk Search

Wildcard not working in monitor input

reach2tushar
Explorer

I used following syntax to monitor a file input in windows
[monitor://D:\app*\logs\a*.log]
The above stanza is not indexing any file. Getting the below error in splnkd.log on forwarder
FilesystemChangeWatcher - error getting attributes of path "\D:": The filename, directory name, or volume label syntax is incorrect.

But when I use following input, it works.
[monitor://D:\appdev\logs\a*.log]

Please help.

0 Karma

woodcock
Esteemed Legend

Try this:

[monitor://D:\*\log\a*.log]
whitelist = D:\app*\log\a*.log
0 Karma

reach2tushar
Explorer

Hi, Thanks for the reply.
The wildcard just after the root directory is not working in Splunk. Could you please check at your end if this works?

0 Karma

sassens1
Path Finder

Hi,

can you try this

 [monitor://D:\app*\log\]
 index = <your_index>
 sourcetype = <your_sourcetype>
 whitelist = a*\.log$

See also: http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

0 Karma

reach2tushar
Explorer

Thanks for the reply.
It's not working. The reason is that I provided wildcard just after the drive D:\app*\log. when we provide an input like following, it works.
[monitor://D:\appdev\l*]

Please confirm if there is any other way to provide wildcard to a folder after D:\

0 Karma

sassens1
Path Finder

well

you can also play with the path, can you change the directory to something like D:\newdir\appxxx and then recursively monitor the newdir ?

  [monitor://D:\...\log\a*.log]
  whitelist =  D:\app*\

see also https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Specifyinputpathswithwildcards

0 Karma

reach2tushar
Explorer

No, we cannot change the directory as it is on forwarder and it is generated by an application.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...