I can't find the correct way to recursively monitor sub-directories in Windows for all files ending in .log.
Can someone please enlighten me with the proper inputs.conf stanza?
Thanks,
here is the regular path and path under Program Files:
C:\Program Files\ari1\ari2\ari3\another_test.log
C:\Users\adonio\Desktop\ari1\ari2\ari3\ari.log
here are inputs:
[monitor://C:\Users\adonio\Desktop\ari1\...\]
index = test_ari
sourcetype = test_ari
[monitor://C:\Program Files\ari1\...\]
index = test_ari
sourcetype = another_test_ari
here is a screenshot:
here is the regular path and path under Program Files:
C:\Program Files\ari1\ari2\ari3\another_test.log
C:\Users\adonio\Desktop\ari1\ari2\ari3\ari.log
here are inputs:
[monitor://C:\Users\adonio\Desktop\ari1\...\]
index = test_ari
sourcetype = test_ari
[monitor://C:\Program Files\ari1\...\]
index = test_ari
sourcetype = another_test_ari
here is a screenshot:
Thanks for the confirmation. I am using the same input so this makes me believe there is something else wrong with my install.
Here is my inputs.conf...
[monitor://C:\Program Files\PaperCut NG\...\*.log]
index = infotech
sourcetype = papercut
disabled = 0
And there are multiple log files under multiple subdirectories that aren't being indexed.
i suspect that there is something in the "PaperCut NG" directory name
try to go to explorer all the way to file path, right click on the path and copy it to notepad++
verify the space between PaperCut and NG is really a space.
copy the exact path from notepad++ to your inputs.conf
replace the sub-directories with ...\
The inputs.conf is pushed from our deployment server so it was created using vim and doubtfully has any weird spaces.
I have edited the file locally and made sure there are no strange spaces or characters. It looks as though it sees the files but just does not index them. I can echo information to the files and I get no results when doing an All Time (Real Time) search on the file.
can you share your full path to file and your inputs.conf?
i think you mean to this:
example: monitor everything in C:\file\mylogs drive and look for .log extension files
[monitor://C:\file\mylogs\*.log]
all examples here:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Specifyinputpathswithwildcards
That works for c:\file\mylogs\file.log but not for c:\file\mylogs\morelogs\evenmorelogs\file.log
I understand that recursive=true is the default but it doesn't appear to work in this case.
I've tried...
[monitor://c:\file\mylogs\...\*.log]
with no luck either.
I've tried...
[monitor://c:\file\mylogs\...\]
whitelist=(\.log$)
also with no luck.
Also, I see some documentation using:
recursive=true
and some showing...
recurse=true
I realize that is also the default but which is correct if hardsetting the option?
hello there,
so i tested and created a file in: C:\Users\adonio\Desktop\ari1\ari2\ari3\ari.log
my input.conf is:
[monitor://C:\Users\adonio\Desktop\ari1\...\]
index = test_ari
sourcetype = test_ari
it captures the data
tried as well with:
[monitor://C:\Users\adonio\Desktop\ari1\...\*.log]
index = test_ari
sourcetype = test_ari
works just fine
please verify your full path to file.
hope it helps
Thanks, I've tried this as well without success. Do you know if spaces in the path might be a problem? I am looking in the "Program Files" directory and that is the only difference I see.
Also, can you tell me what version of Forwarder you are using as well as your Splunk installation version please?
There must be something wonky with my install.
Thanks, I appreciate it. A LOT.
i am putting a new answer so i can attach screenshot
it works well with Program Files as well