Getting Data In

Monitoring files within the C:\Program Files (x86) directory tree

castle1126
Communicator

Hi all, I've got the 4.1.5 Light Forwarder (64 bit) installed on a Windows 2008 (64 bit) server. I only have one directory structure and group of logs I'm trying to monitor with the following entry:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3\*\*name*.txt]
disabled = 0

When I start up the forwarding software I do see the TCP connection between this server and my indexing system. But no data is being sent across. I've taken the log files from the above tree and placed them on C:\, adjusted my inputs.conf on the system and was able to read the data. Moving the test log file to a made up directory named C:\logs also worked. I copied the test log file to C:\Program Files and modified my inputs.conf and was able to read in the log file. But when I copied the test file to C:\Program Files (x86) and modified the inputs.conf accordingly I could not read the file.

Is there something with a special character like "(" or ")" that is confusing Splunk?

Steve

Tags (1)
1 Solution

ziegfried
Influencer

Probably the wildcards don't work. Try to configure it this way:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3]
disabled = 0
whitelist = .*name.*\.txt

to monitor at upper directory level and include only files that match the whiltelist regular expression.

View solution in original post

ftk
Motivator

Please accept the answer that helped you out, so this question can be closed out. Thanks

0 Karma

ziegfried
Influencer

Probably the wildcards don't work. Try to configure it this way:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3]
disabled = 0
whitelist = .*name.*\.txt

to monitor at upper directory level and include only files that match the whiltelist regular expression.

castle1126
Communicator

I added the whitelist and it looks like things are now working. Thanks for the answer Ziegfried!

0 Karma

southeringtonp
Motivator

You probably need to escape the parentheses like so:

[monitor://c:\program files \(x86\)\directory 1\directory 2\directory 3\*\*name*.txt]
disabled = 0

Also, be aware that you can use the splunk list monitor command to list all files that are being monitored by Splunk.

0 Karma

castle1126
Communicator

Also, in checking the splunk list monitor output I see the directory trees that would have the appropriate files, but do not see the file names at the end of each line. For instance I'll see this listed, but no file name after.

C:\Program Files (x86)\directory1\directory2\20101021

All the default Splunk monitors ($SPLUNK_HOME\var\log\splunk\splunkd.log) all show correctly.

0 Karma

castle1126
Communicator

I've also tried to put double quotes around "Program Files (x86)" but that still didn't work.

0 Karma

castle1126
Communicator

I've already escaping the parentheses but that didn't work. Looking through the logs I do see that Splunk does say it's monitoring the directory/files - but nothing seems to come across the TCP connection.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...