Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Inputs.conf - wildcard monitor stanzas on Windows

emiller42
Motivator
‎04-29-2013 02:28 PM

I have a series of files I'm monitoring on windows servers that have to have wildcards in the monitor path.

C:\Program Files (x86)\folder\04-29-2013\foo.xml
C:\Program Files (x86)\folder\04-29-2013\bar.xml

The date part of the path changes each day. Foo and Bar are different source types. So I have a monitor stanzas like so:

[monitor://C:\Program Files (x86)\folder\*\foo.xml]
[monitor://C:\Program Files (x86)\folder\*\bar.xml]

This seems like it should work fine, but I'm not getting any of the files indexed.

Further digging using using fileMonitor.py showed me the following errors:

Did not match partial whitelist '^c:\\Program Files (x86)\\folder\\[^\\]*\\foo\.xml$'

It appears that when the monitor stanza is expanded to a regex for whitelisting purposes, the parens aren't being escaped properly. It should be:

^c:\\Program Files \(x86\)\\folder\\[^\\]*\\foo\.xml$'

Not sure how I can work around this. If I wildcard the 'Program Files' folder, that means Splunk will try to match every file in C:\ with the generated whitelist, which isn't going to work.

Any ideas?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-29-2013 02:31 PM

Terrible hack/workaround, but the old "short name" should work, like C:\PROGRA~2. Maybe someone can come up with something less vomit inducing.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-29-2013 02:31 PM

Terrible hack/workaround, but the old "short name" should work, like C:\PROGRA~2. Maybe someone can come up with something less vomit inducing.

Reply
Solved! Jump to solution

emiller42
Motivator
‎04-29-2013 02:33 PM

Terrible yet effective!

I've put in a ticket about the issue, as I think it should be properly escaping the parens in the path. But in the meantime, this gets the job done.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...