Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows universal forwarder localappdata

Niro
Explorer
‎02-07-2024 12:53 PM

Hello,

 

I need to monitor log files that are in the following directory('s'):

 

"c:\users\%username%\appdata\local\app\$randomnumber$\app.log"

%username% is whoever is currently logged on (but I suppose I'd be ok with "*", any user folder) and $randomnumber$ is a unique ID that's going to always be different for every desktop, possibly change over time, and possibly be more than one folder for a given user.

How would I make the file monitor stanza in inputs.conf do that?

 

Thanks!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 01:41 PM

Use wildcards for the unknown parts.

[monitor://c:\users\*\appdata\local\app\*\app.log]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 01:41 PM

Use wildcards for the unknown parts.

[monitor://c:\users\*\appdata\local\app\*\app.log]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Niro
Explorer
‎02-13-2024 10:18 AM

This ended up working - not sure what was wrong before, I think the timestamps were off. But it's all there, thanks!

Reply
Solved! Jump to solution

Niro
Explorer
‎02-07-2024 02:01 PM

Thanks!

I just tried it - it doesn't SEEM to be working, I'm not getting any data in splunk even  though I know the files are being updated. Looking at the index (just searching index=someapp) returns no data (index does exist).

This is what I have:

[monitor://c:\users\*\appdata\local\someapp\apps\*\app.log]
index = someapp
sourcetype=someapp
disabled=0

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2024 02:33 PM

Verify splunk has read access to the file.  Check splunkd.log for messages about reading the file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Niro
Explorer
‎02-07-2024 02:50 PM

it SHOULD have access - I don't see any errors or anything. The only thing that comes up is 

"Parsing configuration stanza: monitor://c:\users\*\appdata\local\apps\*\app.log."

but no errors...

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...