How can I monitor the same file on different drive...

deloach · ‎07-30-2013

I'm trying to monitor the same file on different drives on Windows systems. I tried putting a wildcard into the inputs.conf but that doesn't seem to work for a drive letter.

For instance I have these two different paths:
C:\Program Files\folder\file.txt
D:\Program Files\folder\file.txt

I tried editing my inputs.conf as below
[monitor://*:\Program Files\folder\file.txt]
[monitor://Program Files\folder\file.txt]

No luck with either one and I haven't been able to find any other questions addressing this.

khushi4u21 · ‎05-15-2017

was the solution found for this requirement to monitor same files under different directories ?

anewell · ‎05-15-2017

If you need a solution for a fleet of hosts, where one file might appear in a number of different known locations across different endpoints, due to inconsistent builds or what have you.. Splunk honors Windows environment variables, but does so with "linuxy" syntax. So I have the build orchestration set a system-wide envvar %APPLOGS% to either "C:\path" or "D:\path" on the host, and then do a [monitor://$APPLOGS\file.log] stanza in my inputs.conf. The key is the two different dialects of environment variable.

khushi4u21 · ‎05-15-2017

Actually we can not get this env variable created on thousands of desktops. Need a generic solution which can only be implemented using splunk config.

jstockamp · ‎07-30-2013

You could try a regex in the path:

[monitor://[A-Z]:\Program Files\folderfile.txt]

http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Specifyinputpathswithwildcards

aholzer · ‎07-30-2013

I believe you are looking for the ellipses option. See documentation:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Specifyinputpathswithwildcards

How can I monitor the same file on different drives in windows?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!