Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

not monitored similer name local files on windows

dhirendra761
Contributor
‎07-23-2018 10:09 PM

My logs files are having named as "xxxx*.log.2018-06-27, xxxx*.log.2018-06-26, xxxx*.log.2018....."
it differntiate with date when it was genrated.
Now i want to monitor the directory for log files.
when i search for the log in directory using splunk, the source count is only 1. It takes only 1file for search.

All log files having different contents. So I am not able to search for whole log files.
Please suggest in this case.

Let me know in case of more info required.alt text
alt text

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎07-24-2018 12:14 PM

Try this:

[monitor://D:\Splunk\Logs\*\dd\*.log]
disabled = false
sourcetype = dd
0 Karma
Reply

dhirendra761
Contributor
‎07-24-2018 11:47 PM

Thanks for input.
But It doesn't work. If you rename the log files with different name then it work and available for the search.

0 Karma
Reply

sudosplunk
Motivator
‎07-24-2018 09:33 AM

Modify your monitor stanza to below:

[monitor://D:\Splunk\Logs\uVisit\dd\Visit*.log*]
disabled = false
sourcetype = dd

OR

[monitor://D:\Splunk\Logs\uVisit\dd]
disabled = false
whitelist = \.log\.\d+|\.log$
sourcetype = dd
0 Karma
Reply

dhirendra761
Contributor
‎07-24-2018 11:47 PM

Thanks for input.
But It doesn't work. If you rename the log files with different name then it work and available for the search.

0 Karma
Reply

sudosplunk
Motivator
‎07-31-2018 05:34 AM

For the .log.date files, file type is not Text document. Can you open and read the files with date extension. If yes, then above monitor stanza should work as it is using *.log* which matches all files under dd directory.

0 Karma
Reply

renjith_nair
Legend
‎07-24-2018 12:10 AM

@dhirendra761 , hows your inputs.conf configured?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

dhirendra761
Contributor
‎07-26-2018 12:10 AM

I will share the links for file directory which i used currently.

0 Karma
Reply

dhirendra761
Contributor
‎07-24-2018 12:30 AM

@renjith.nair Hi Renjith,
input.conf is configured as below:
[monitor://D:\Splunk\Logs\uVisit\dd]
disabled = false
sourcetype = dd

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...