https://community.splunk.com/t5/Getting-Data-In/simple-wildcard-monitoring-not-working/m-p/207508#M40910 <P>ya. splunk user is able to read the directory/cd in, BUT it doesnt have access to read every file in that dir. could that be the issue? <BR /> <PRE><BR /> -bash-4.2$ id<BR /> uid=9100(splunk) gid=9100(splunk) groups=9100(splunk) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<BR /> -bash-4.2$ ls /var/log<BR /> anaconda boot.log btmp-20151201 cloud-init.log cron cron-20151214 cron-20151227 dmesg maillog maillog-20151214 maillog-20151227 messages-20151206 messages-20151220 newrelic ppp samba secure-20151206 secure-20151220 spooler spooler-20151214 spooler-20151227 tomcat wtmp<BR /> audit btmp chrony cloud-init-output.log cron-20151206 cron-20151220 cs lastlog maillog-20151206 maillog-20151220 messages messages-20151214 messages-20151227 ntpstats sa secure secure-20151214 secure-20151227 spooler-20151206 spooler-20151220 tallylog tuned yum.log<BR /> -bash-4.2$ ls -ld /var/log<BR /> drwxr-xr-x. 13 root root 4096 Dec 27 03:41 /var/log<BR /> </PRE><BR /> i have change the perm in the tomcat dir to be accessable by splunk as well -<BR /> <PRE><BR /> -bash-4.2$ ls -ld /var/log/tomcat<BR /> drwxrwxr-x. 2 tomcat root 8192 Dec 28 00:00 /var/log/tomcat<BR /> </PRE></P> Tue, 29 Sep 2020 08:17:14 GMT clearslide_cwon 2020-09-29T08:17:14Z https://community.splunk.com/t5/Getting-Data-In/simple-wildcard-monitoring-not-working/m-p/207506#M40908 <P>I have a really simple wildcard matching for monitoring, but I can't get it to work. Here is the setup:</P> <P>/opt/splunkforwarder/etc/system/local/inputs.conf</P> <PRE><CODE>[monitor:///var/log/tomcat/localhost_access_log.*.txt] </CODE></PRE> <P>i restarted splunk, but it doesn't monitor any files in that directory.</P> <P>BUT, if I put the following and copy the log (txt) files to <CODE>/tmp</CODE>, it sees them:</P> <PRE><CODE>[monitor:///tmp/localhost_access_log*.txt] </CODE></PRE> <P>Is there any restriction, or because the wildcard I have? It seems pretty basic to me.</P> Wed, 23 Dec 2015 00:31:41 GMT https://community.splunk.com/t5/Getting-Data-In/simple-wildcard-monitoring-not-working/m-p/207506#M40908 clearslide_cwon 2015-12-23T00:31:41Z https://community.splunk.com/t5/Getting-Data-In/simple-wildcard-monitoring-not-working/m-p/207507#M40909 <P>Check if your splunk user is able to read /var/log directory. The logs should be complaining about this, if permission is denied.</P> Wed, 23 Dec 2015 02:22:03 GMT https://community.splunk.com/t5/Getting-Data-In/simple-wildcard-monitoring-not-working/m-p/207507#M40909 renjith_nair 2015-12-23T02:22:03Z https://community.splunk.com/t5/Getting-Data-In/simple-wildcard-monitoring-not-working/m-p/207508#M40910 <P>ya. splunk user is able to read the directory/cd in, BUT it doesnt have access to read every file in that dir. could that be the issue? <BR /> <PRE><BR /> -bash-4.2$ id<BR /> uid=9100(splunk) gid=9100(splunk) groups=9100(splunk) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<BR /> -bash-4.2$ ls /var/log<BR /> anaconda boot.log btmp-20151201 cloud-init.log cron cron-20151214 cron-20151227 dmesg maillog maillog-20151214 maillog-20151227 messages-20151206 messages-20151220 newrelic ppp samba secure-20151206 secure-20151220 spooler spooler-20151214 spooler-20151227 tomcat wtmp<BR /> audit btmp chrony cloud-init-output.log cron-20151206 cron-20151220 cs lastlog maillog-20151206 maillog-20151220 messages messages-20151214 messages-20151227 ntpstats sa secure secure-20151214 secure-20151227 spooler-20151206 spooler-20151220 tallylog tuned yum.log<BR /> -bash-4.2$ ls -ld /var/log<BR /> drwxr-xr-x. 13 root root 4096 Dec 27 03:41 /var/log<BR /> </PRE><BR /> i have change the perm in the tomcat dir to be accessable by splunk as well -<BR /> <PRE><BR /> -bash-4.2$ ls -ld /var/log/tomcat<BR /> drwxrwxr-x. 2 tomcat root 8192 Dec 28 00:00 /var/log/tomcat<BR /> </PRE></P> Tue, 29 Sep 2020 08:17:14 GMT https://community.splunk.com/t5/Getting-Data-In/simple-wildcard-monitoring-not-working/m-p/207508#M40910 clearslide_cwon 2020-09-29T08:17:14Z