Hello,
On my forwarder, at $SPLUNK_HOME/etc/system/local/inputs.conf, I have a monitor configured:
[monitor://C:\Program Files (x86)\Application\Application Logs\Logs]
disabled = 0
whitelist = (log$)
I can see from my indexer that the log files I expect to be indexed are there.
I want to adjust the sourcetype for that particular source, so I configured $SPLUNK_HOME/etc/system/local/props.conf as follows:
[source::C:\\Program Files (x86)\\Application\\Application Logs\\Logs\\*.log]
sourcetype = custom_sourcetype
However, that stanza does not seem to work. After playing around, I managed to find the following stanza below which works:
[source::...\\Logs\\*.log]
sourcetype = custom_sourcetype
Could someone please tell me why? Do spaces, or parentheses in the source file name need to be escaped somehow?
Thanks!
Instead of using the *.log, use the whitelist and do not escape the parenthesis. I also found no need to escape the backslashes in the path.
[source::C:\Program Files (x86)\Application\Application Logs\Logs\]
sourcetype = custom_sourcetype
whitelist = \.log$
This whitelist will only match files with .log at the very end. So its not going to grab other stuff like blah.log.bak remove the $ to get files with stuff past the .log.
Instead of using the *.log, use the whitelist and do not escape the parenthesis. I also found no need to escape the backslashes in the path.
[source::C:\Program Files (x86)\Application\Application Logs\Logs\]
sourcetype = custom_sourcetype
whitelist = \.log$
This whitelist will only match files with .log at the very end. So its not going to grab other stuff like blah.log.bak remove the $ to get files with stuff past the .log.
Hi roychen,
Yes, the parentheses need to be escaped. In the source::
stanza in props.conf
the parentheses limit the scope of the alternation operator |
. Try using \(
and \)
.
HTH
Hi roychen,
Yes, the three dots mean "any path". Did you try using the three dots with or without that one slash as I suggested? Basically, since you were succesful with your second example, I think you could be lucky using the full path, but replacing C: with the dots.
Hi echalex,
I believe the three periods ... means to recurse through directories until the match is met.
Windows paths still need to be specified with the backslash \, or \ in the case of props.conf, rather than the slash /.
Still, thank you for your efforts! 🙂
Hi roychen,
Unfortunately I'm not very familiar with Windows or running Splunk on it. However, looking at the props.conf
-files coming with Splunk, I see that most of the source::
stanzas seem to start with three dots (...
).
Perhaps you could try:
[source::.../C:\\Program Files \(x86\)\\Application\\Application Logs\\Logs\\filename.log]
or even (with or without that first slash after the ...
)
[source::.../\\Program Files \(x86\)\\Application\\Application Logs\\Logs\\filename.log]
Hello echalex,
It seems even escaping the parentheses with \ doesn't work.
My stanza was:
C:\\Program Files \(x86\)\\Application\\Application Logs\\Logs\\filename.log
Thanks!