Solved: Forwarder props.conf [source::] stanza

roychen · ‎09-03-2012

Hello,

On my forwarder, at $SPLUNK_HOME/etc/system/local/inputs.conf, I have a monitor configured:

[monitor://C:\Program Files (x86)\Application\Application Logs\Logs]
disabled = 0
whitelist = (log$)

I can see from my indexer that the log files I expect to be indexed are there.

I want to adjust the sourcetype for that particular source, so I configured $SPLUNK_HOME/etc/system/local/props.conf as follows:

[source::C:\\Program Files (x86)\\Application\\Application Logs\\Logs\\*.log]
sourcetype = custom_sourcetype

However, that stanza does not seem to work. After playing around, I managed to find the following stanza below which works:

[source::...\\Logs\\*.log]
sourcetype = custom_sourcetype

Could someone please tell me why? Do spaces, or parentheses in the source file name need to be escaped somehow?

Thanks!

jkat54 · ‎10-29-2012

Instead of using the *.log, use the whitelist and do not escape the parenthesis. I also found no need to escape the backslashes in the path.

[source::C:\Program Files (x86)\Application\Application Logs\Logs\]
sourcetype = custom_sourcetype
whitelist = \.log$

This whitelist will only match files with .log at the very end. So its not going to grab other stuff like blah.log.bak remove the $ to get files with stuff past the .log.

View solution in original post

jkat54 · ‎10-29-2012

Instead of using the *.log, use the whitelist and do not escape the parenthesis. I also found no need to escape the backslashes in the path.

[source::C:\Program Files (x86)\Application\Application Logs\Logs\]
sourcetype = custom_sourcetype
whitelist = \.log$

This whitelist will only match files with .log at the very end. So its not going to grab other stuff like blah.log.bak remove the $ to get files with stuff past the .log.

echalex · ‎09-04-2012

Hi roychen,

Yes, the parentheses need to be escaped. In the source:: stanza in props.conf the parentheses limit the scope of the alternation operator |. Try using $ and $.

HTH

echalex · ‎09-05-2012

Hi roychen,

Yes, the three dots mean "any path". Did you try using the three dots with or without that one slash as I suggested? Basically, since you were succesful with your second example, I think you could be lucky using the full path, but replacing C: with the dots.

roychen · ‎09-04-2012

Hi echalex,

I believe the three periods ... means to recurse through directories until the match is met.

Windows paths still need to be specified with the backslash \, or \ in the case of props.conf, rather than the slash /.

Still, thank you for your efforts! 🙂

echalex · ‎09-04-2012

Hi roychen,
Unfortunately I'm not very familiar with Windows or running Splunk on it. However, looking at the props.conf-files coming with Splunk, I see that most of the source:: stanzas seem to start with three dots (...).

Perhaps you could try:

[source::.../C:\\Program Files \(x86\)\\Application\\Application Logs\\Logs\\filename.log]

or even (with or without that first slash after the ...)

[source::.../\\Program Files \(x86\)\\Application\\Application Logs\\Logs\\filename.log]

roychen · ‎09-04-2012

Hello echalex,

It seems even escaping the parentheses with \ doesn't work.

My stanza was:

C:\\Program Files $x86$\\Application\\Application Logs\\Logs\\filename.log

Thanks!

Forwarder props.conf [source::] stanza

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!