Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows universal forwarder localappdata

Niro
Explorer
‎02-07-2024 12:53 PM

Hello,

 

I need to monitor log files that are in the following directory('s'):

 

"c:\users\%username%\appdata\local\app\$randomnumber$\app.log"

%username% is whoever is currently logged on (but I suppose I'd be ok with "*", any user folder) and $randomnumber$ is a unique ID that's going to always be different for every desktop, possibly change over time, and possibly be more than one folder for a given user.

How would I make the file monitor stanza in inputs.conf do that?

 

Thanks!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 01:41 PM

Use wildcards for the unknown parts.

[monitor://c:\users\*\appdata\local\app\*\app.log]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 01:41 PM

Use wildcards for the unknown parts.

[monitor://c:\users\*\appdata\local\app\*\app.log]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Niro
Explorer
‎02-13-2024 10:18 AM

This ended up working - not sure what was wrong before, I think the timestamps were off. But it's all there, thanks!

Reply
Solved! Jump to solution

Niro
Explorer
‎02-07-2024 02:01 PM

Thanks!

I just tried it - it doesn't SEEM to be working, I'm not getting any data in splunk even  though I know the files are being updated. Looking at the index (just searching index=someapp) returns no data (index does exist).

This is what I have:

[monitor://c:\users\*\appdata\local\someapp\apps\*\app.log]
index = someapp
sourcetype=someapp
disabled=0

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 02:33 PM

Verify splunk has read access to the file.  Check splunkd.log for messages about reading the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Niro
Explorer
‎02-07-2024 02:50 PM

it SHOULD have access - I don't see any errors or anything. The only thing that comes up is 

"Parsing configuration stanza: monitor://c:\users\*\appdata\local\apps\*\app.log."

but no errors...

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...