Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

wildcard not working in inputs.conf

a212830
Champion
‎03-05-2014 05:54 AM

Hi,

I need to monitor a single file that exists in multiple directories, which can change without my notice, but will follow the same format. I tried setting up a wildcard, but it's not working.

The directory structure is:

/pwstcdwlk*/log/*/gpws_error.log

The filename is always gpws_error.log, and the filesystem will always begin with /pwstcdwlk, but the segment after log can change and be almost anything.

I had the following, but it did not work. 

[monitor:///pwstcdwlk*/log/.../gpws_error.log]
recursive = yes
disabled = false
followTail = false
sourcetype  = log4j
index =  throwaway
Reply
1 Solution
Solved! Jump to solution
Solution

a212830
Champion
‎03-06-2014 08:06 AM

Looks like a bug in 5.01 - upgraded to 5.04, and everything worked.

View solution in original post

Reply
Solved! Jump to solution

the_wolverine
Champion
‎04-16-2014 12:06 PM

FWIW, I also encountered this in 4.3.3.3 -- not sure if any other versions affected.

[monitor:///*dir*/logs/*/*.log]

Did not work properly. Something about the wildcard at the base directory.

I had to use

[monitor:///actualdirname/logs/*/*.log]
0 Karma
Reply
Solved! Jump to solution
Solution

a212830
Champion
‎03-06-2014 08:06 AM

Looks like a bug in 5.01 - upgraded to 5.04, and everything worked.

Reply
Solved! Jump to solution

a212830
Champion
‎03-06-2014 05:14 AM

Lots of data available, with multiple logs. The splunkd.log isn't showing any errors - just this message: 03-06-2014 08:02:58.235 -0500 INFO TailingProcessor - Parsing configuration stanza: monitor:///pws*/log/.../gpws_error.log.

Here's some sampleoutput of an ls command:

-rw-rw-r-- 1 blahblah blahblah 165 Mar 5 08:15 /pwstcawlk3/log/PROCESSMONITOR/gpws_error.log
-rw-rw-r-- 1 blahblah blahblah 180874 Mar 5 10:22 /pwstcawlk2/log/HTTPCONTROLLERARCH/gpws_error.log

Those files (and others) are not being indexed. BTW - this is on AIX, if that matters.

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎03-05-2014 07:54 AM

Do you see any error in the logs. If thats the case then your stanza looks right to me. There is no data being indexed from the log file? How many lines does the log file have?

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎03-05-2014 06:44 AM

The ones that I want all begin with pwstcdwlk, but it can change after that - could be a 1, could be abc... - out of my control. I don't want to make it wide open, as other files could be grabbed.

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎03-05-2014 06:23 AM

You mentioned a specific directory structure. Do you have multiple directory structures like that?

try [monitor:///.../log/.../gpws_error.log]

... -> is a recursive wildcard. What you have as of now should also work if there is something like pwstcdwlkABC,pwstcdwlk123 etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...