- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: inputs.conf + wildcard not picking up anything
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf + wildcard not picking up anything
I am trying to monitor a log file where the directory path may change from one machine to another. But these rules are for sure:
The first folder has the word hyperic
The second folder has the word agent in it
the third folder is named logs
the file to be read is named agent.log
Some admins have named the first directory hyperic ... some have named it something else like hyperic 4.6.6
Also the second folder might be named hyperic-hqee-agent-4.6.5 or hyperic-hqee-agent-4.6.6 ... but we know that it has agent in it, so we want to proceed down to the next level.
A full path might look like this:
C:\Hyperic\hyperic-hqee-agent-4.6.6\log\agent.log
My inputs.conf has this stanza in it:
[monitor://C:\*Hyperic*\*agent*\log\agent.log]
disabled = false
sourcetype = hyperic_agent
the apps have deployed to all the corresponding machines, but nothing is being received. This is what I see in the splunkd logs:
11-26-2012 14:57:54.686 -0800 INFO TailingProcessor - Parsing configuration stanza: monitor://C:\*Hyperic*\*agent*\log\agent.log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
[monitor://C:\\*Hyperic*\\*agent*\\log\\agent.log]
I think Splunk is seeing the single backslashes as escaping the following character.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried that also, still nothing. I get a TailingProcessor error event when I use double slashes \\. That error isn't present with single slashes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try without the leading star after C:\.
[monitor://C:\\Hyperic*\\*agent*\\log\\agent.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried that but it doesn't work either. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are quite a bit of files monitored, but I think what you wanted to see was if the file in question is being monitored. It is listed as following:
C:\*Hyperic*\*agent*\log\agent.log
C:\*Hyperic*\*agent*\log\wrapper.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On any of the machines, what do you see when you run
splunk list monitor
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
