Getting Data In

Forwarder props.conf [source::] stanza

roychen
Path Finder

Hello,

On my forwarder, at $SPLUNK_HOME/etc/system/local/inputs.conf, I have a monitor configured:

[monitor://C:\Program Files (x86)\Application\Application Logs\Logs]
disabled = 0
whitelist = (log$)

I can see from my indexer that the log files I expect to be indexed are there.

I want to adjust the sourcetype for that particular source, so I configured $SPLUNK_HOME/etc/system/local/props.conf as follows:

[source::C:\\Program Files (x86)\\Application\\Application Logs\\Logs\\*.log]
sourcetype = custom_sourcetype

However, that stanza does not seem to work. After playing around, I managed to find the following stanza below which works:

[source::...\\Logs\\*.log]
sourcetype = custom_sourcetype

Could someone please tell me why? Do spaces, or parentheses in the source file name need to be escaped somehow?

Thanks!

Tags (2)
1 Solution

jkat54
SplunkTrust
SplunkTrust

Instead of using the *.log, use the whitelist and do not escape the parenthesis. I also found no need to escape the backslashes in the path.

[source::C:\Program Files (x86)\Application\Application Logs\Logs\]
sourcetype = custom_sourcetype
whitelist = \.log$

This whitelist will only match files with .log at the very end. So its not going to grab other stuff like blah.log.bak remove the $ to get files with stuff past the .log.

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Instead of using the *.log, use the whitelist and do not escape the parenthesis. I also found no need to escape the backslashes in the path.

[source::C:\Program Files (x86)\Application\Application Logs\Logs\]
sourcetype = custom_sourcetype
whitelist = \.log$

This whitelist will only match files with .log at the very end. So its not going to grab other stuff like blah.log.bak remove the $ to get files with stuff past the .log.

echalex
Builder

Hi roychen,

Yes, the parentheses need to be escaped. In the source:: stanza in props.conf the parentheses limit the scope of the alternation operator |. Try using \( and \).

HTH

echalex
Builder

Hi roychen,

Yes, the three dots mean "any path". Did you try using the three dots with or without that one slash as I suggested? Basically, since you were succesful with your second example, I think you could be lucky using the full path, but replacing C: with the dots.

0 Karma

roychen
Path Finder

Hi echalex,

I believe the three periods ... means to recurse through directories until the match is met.

Windows paths still need to be specified with the backslash \, or \ in the case of props.conf, rather than the slash /.

Still, thank you for your efforts! 🙂

0 Karma

echalex
Builder

Hi roychen,
Unfortunately I'm not very familiar with Windows or running Splunk on it. However, looking at the props.conf-files coming with Splunk, I see that most of the source:: stanzas seem to start with three dots (...).

Perhaps you could try:

[source::.../C:\\Program Files \(x86\)\\Application\\Application Logs\\Logs\\filename.log]

or even (with or without that first slash after the ...)

[source::.../\\Program Files \(x86\)\\Application\\Application Logs\\Logs\\filename.log]
0 Karma

roychen
Path Finder

Hello echalex,

It seems even escaping the parentheses with \ doesn't work.

My stanza was:

C:\\Program Files \(x86\)\\Application\\Application Logs\\Logs\\filename.log

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...