Getting Data In

inputs.conf monitor stanza for Windows Universal Forwarder with wildcards not working

Neur0mencer
Explorer

I'm facing a problem with writing a stanza that would collect log files from a directory tree. The tree is (example):

D:\Log\App\Module1\Log\%timestamp%-actual.log
D:\Log\App\Module2\Log\%timestamp%-actual.log
D:\Log\App\Module3\Log\%timestamp%-actual.log

I wish to grab the .log files from the tree.

Thus I wrote into inputs.conf:

[MonitorNoHandle://D:\Log\App\*\Log\*.log

This isn't really working. In fact, I've tried several ways, none are working (just two examples below):

[MonitorNoHandle://D:\Log\App\...]
whitelist = \\*\.log$

[MonitorNoHandle://D:\Log\App\Module\Log]
whitelist = \\*\.log$

I'm also placing below the above:

disabled = 0
index = test
sourcetype = app-log

Please help with the stanza wildcards?!
I've read several posts on the forums already, not mentioning the documentation, and this doesn't seem to work.
There are no obvious errors (log_level > info) when monitoring after splunk reload deploy-server, the app is downloaded to the folders... but the logs are not coming in.

0 Karma
1 Solution

Mayurmpatil
Path Finder

[monitor://D:\Log\App*\Log*.log]
disable = 0

use below document
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Monitorfilesanddirectorieswithinputs.conf

you are using m in caps(M)

View solution in original post

Mayurmpatil
Path Finder

[monitor://D:\Log\App*\Log*.log]
disable = 0

use below document
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Monitorfilesanddirectorieswithinputs.conf

you are using m in caps(M)

Neur0mencer
Explorer

Thank you 🙂

So, I've not noticed that [MonitorNoHandle] is apparently meant for single file, while [monitor] is spelled lower case.

In the end, what worked for me was:
[monitor://D:\Log\APP*\Log...]
whitelist = \*.log$
disabled = 0
sourcetype = APP-Trace.log

[monitor://D:\Log\APP\*\PerformanceLogs\...]
whitelist = \\*\.log$
disabled = 0
sourcetype = APP-PerformanceLogs.log

Thank you sir!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...