Refine your search:

star wildcard in monitor stanza does not look at root directory

3

I want to write a monitor stanza that picks up a log named "mytest.log" which may be found in either /var/log/app/ or /var/log/app/testlogs/

according to this: http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Specifyinputpathswithwildcards, it seems possible to do what i want by defining [monitor:///var/log/app/*/mytest.log

specifically described in this section of the table describing use of "": /foo//bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, etc.

My monitor stanza is: [monitor:///var/log/app/*/mytest.log] index = lab sourcetype = log4j blacklist = .(gz|bz2|z|zip)$

i expected splunk to pick up both /var/log/app/mytest.log and /var/log/app/testlogs/mytest.log, but instead only the latter is actually picked up. it seems that the base dir of /var/log/app/ is not being searched

asked 27 Jan '12, 14:21

tpsplunk's gravatar image

tpsplunk
383215
accept rate: 28%

edited 27 Jan '12, 14:41

One Answer:
oldestnewestmost voted
4

The important part in the documentation topic you are referencing is this one :

Wildcard : *
Description : The asterisk wildcard matches anything in that specific directory path segment. Unlike "...", "*" doesn't recurse through any subdirectories.
Regex equivalent : [^/]*

This means that your stanza definition of [monitor:///var/log/app/*/mytest.log] translates into the following regular expression :

/var/log/app/[^/]*/mytest.log

This will not match the following path :

/var/log/app/mytest.log

What you need is for your stanza definition to be [monitor:///var/log/app/...mytest.log].

link

answered 28 Jan '12, 09:31

hexx's gravatar image

hexx ♦
13.6k91568
accept rate: 56%

i'll try this out. it makes sense, but it means the documentation inside inputs.conf is wrong

(30 Jan '12, 13:25) tpsplunk

How so? Please quote the page/block of text that makes you say so, I'd be happy to fix it.

(30 Jan '12, 13:28) hexx ♦
1

"The asterisk () matches anything in a single path segment; unlike "...", it does not recurse.
For example, /foo//bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/1/2/bar . "

it's the piece that says "/foo//bar matches the files /foo/bar " that i think is wrong. it's what led me to believe that /var/log/app//mytest.log would match /var/log/app/mytest.log

(13 Mar '12, 08:50) tpsplunk
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×107
×17
×7

Asked: 27 Jan '12, 14:21

Seen: 767 times

Last updated: 13 Mar '12, 08:50

Related questions

Top level monitor wildcard Linux

Alias - Wildcard in Stanza

new monitor stanza not indexed

windows wildcard path name bug

wildcard in inputs.conf splunktcp stanza?

Why does /foo/m*r/bar match /foo/bar in a monitor

Inputs.conf - wildcard monitor stanzas on Windows

inputs.conf + wildcard not picking up anything

Forwarder props.conf [source::] stanza

Copyright © 2005-2012 Splunk Inc. All rights reserved.