Refine your search:

Monitoring files within the C:\Program Files (x86) directory tree

2

Hi all, I've got the 4.1.5 Light Forwarder (64 bit) installed on a Windows 2008 (64 bit) server. I only have one directory structure and group of logs I'm trying to monitor with the following entry:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3\*\*name*.txt]
disabled = 0

When I start up the forwarding software I do see the TCP connection between this server and my indexing system. But no data is being sent across. I've taken the log files from the above tree and placed them on C:\, adjusted my inputs.conf on the system and was able to read the data. Moving the test log file to a made up directory named C:\logs also worked. I copied the test log file to C:\Program Files and modified my inputs.conf and was able to read in the log file. But when I copied the test file to C:\Program Files (x86) and modified the inputs.conf accordingly I could not read the file.

Is there something with a special character like "(" or ")" that is confusing Splunk?

Steve

asked 25 Oct '10, 13:52

castle1126's gravatar image

castle1126
179110
accept rate: 0%

edited 25 Oct '10, 14:04

southeringtonp's gravatar image

southeringtonp ♦
4.5k1215

Please accept the answer that helped you out, so this question can be closed out. Thanks

(25 Oct '10, 15:27) ftk ♦
2 Answers:
oldestnewestmost voted
3

Probably the wildcards don't work. Try to configure it this way:

[monitor://c:\program files (x86)\directory 1\directory 2\directory 3]
disabled = 0
whitelist = .*name.*\.txt

to monitor at upper directory level and include only files that match the whiltelist regular expression.

link

answered 25 Oct '10, 14:46

ziegfried's gravatar image

ziegfried ♦
7.2k1315
accept rate: 53%

I added the whitelist and it looks like things are now working. Thanks for the answer Ziegfried!

(25 Oct '10, 15:03) castle1126
0

You probably need to escape the parentheses like so:

[monitor://c:\program files \(x86\)\directory 1\directory 2\directory 3\*\*name*.txt]
disabled = 0

Also, be aware that you can use the splunk list monitor command to list all files that are being monitored by Splunk.

link

answered 25 Oct '10, 14:07

southeringtonp's gravatar image

southeringtonp ♦
4.5k1215
accept rate: 35%

I've already escaping the parentheses but that didn't work. Looking through the logs I do see that Splunk does say it's monitoring the directory/files - but nothing seems to come across the TCP connection.

(25 Oct '10, 14:15) castle1126

I've also tried to put double quotes around "Program Files (x86)" but that still didn't work.

(25 Oct '10, 14:16) castle1126

Also, in checking the splunk list monitor output I see the directory trees that would have the appropriate files, but do not see the file names at the end of each line. For instance I'll see this listed, but no file name after.

C:Program Files (x86)directory1directory220101021

All the default Splunk monitors ($SPLUNK_HOMEvarlogsplunksplunkd.log) all show correctly.

(25 Oct '10, 14:28) castle1126
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×58

Asked: 25 Oct '10, 13:52

Seen: 1,066 times

Last updated: 25 Oct '10, 14:46

Related questions

Directory monitoring not picking up new files

Data Input: Monitor a directory for new files and delete when indexed

How do I monitor files in a folder as well as the files in all subfolders?

Is there a way to monitor the number of files in the dispatch directory?

Monitoring folder stops monitoring files

How to tell splunk to read log files only once, but keep monitoring the folder for new files?

How do I programmatically edit conf files in the deployment-apps directory

How can I improve the performance of Splunk monitoring hundreds of active files?

Searching/Monitoring 100s of Excel files...

Copyright © 2005-2012 Splunk, Inc. All rights reserved.