I'm facing a problem with writing a stanza that would collect log files from a directory tree. The tree is (example):
D:\Log\App\Module1\Log\%timestamp%-actual.log
D:\Log\App\Module2\Log\%timestamp%-actual.log
D:\Log\App\Module3\Log\%timestamp%-actual.log
I wish to grab the .log files from the tree.
Thus I wrote into inputs.conf:
[MonitorNoHandle://D:\Log\App\*\Log\*.log
This isn't really working. In fact, I've tried several ways, none are working (just two examples below):
[MonitorNoHandle://D:\Log\App\...]
whitelist = \\*\.log$
[MonitorNoHandle://D:\Log\App\Module\Log]
whitelist = \\*\.log$
I'm also placing below the above:
disabled = 0
index = test
sourcetype = app-log
Please help with the stanza wildcards?!
I've read several posts on the forums already, not mentioning the documentation, and this doesn't seem to work.
There are no obvious errors (log_level > info) when monitoring after splunk reload deploy-server
, the app is downloaded to the folders... but the logs are not coming in.
[monitor://D:\Log\App*\Log*.log]
disable = 0
use below document
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Monitorfilesanddirectorieswithinputs.conf
you are using m in caps(M)
[monitor://D:\Log\App*\Log*.log]
disable = 0
use below document
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Monitorfilesanddirectorieswithinputs.conf
you are using m in caps(M)
Thank you 🙂
So, I've not noticed that [MonitorNoHandle] is apparently meant for single file, while [monitor] is spelled lower case.
In the end, what worked for me was:
[monitor://D:\Log\APP*\Log...]
whitelist = \*.log$
disabled = 0
sourcetype = APP-Trace.log
[monitor://D:\Log\APP\*\PerformanceLogs\...]
whitelist = \\*\.log$
disabled = 0
sourcetype = APP-PerformanceLogs.log
Thank you sir!