https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46554#M8792 <P>I have a log structure like so:</P> <P>/opt/data/logs/tomcat/foo or /opt/data/logs/tomcat/bar</P> <P>the logs themselves are something like log1.out.2012-05-01, etc.</P> <P>I've tried several monitor stanzas like:</P> <PRE><CODE>[monitor:///opt/data/logs/tomcat/.../*] whitelist: foo\.out\.* </CODE></PRE> <P>or</P> <PRE><CODE>[monitor:///opt/data/logs/tomcat/.../foo\.out\.*] </CODE></PRE> <P>but nothing is picking up these logs... </P> Tue, 08 May 2012 21:35:02 GMT mmattek 2012-05-08T21:35:02Z https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46554#M8792 <P>I have a log structure like so:</P> <P>/opt/data/logs/tomcat/foo or /opt/data/logs/tomcat/bar</P> <P>the logs themselves are something like log1.out.2012-05-01, etc.</P> <P>I've tried several monitor stanzas like:</P> <PRE><CODE>[monitor:///opt/data/logs/tomcat/.../*] whitelist: foo\.out\.* </CODE></PRE> <P>or</P> <PRE><CODE>[monitor:///opt/data/logs/tomcat/.../foo\.out\.*] </CODE></PRE> <P>but nothing is picking up these logs... </P> Tue, 08 May 2012 21:35:02 GMT https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46554#M8792 mmattek 2012-05-08T21:35:02Z https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46555#M8793 <P>I think web mangled... I had the "." characters escaped, btw</P> Tue, 08 May 2012 21:41:03 GMT https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46555#M8793 mmattek 2012-05-08T21:41:03Z https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46556#M8794 <P>The monitor path looks good.</P> <P>Are your file starting with the same first lines ?<BR /> Maybe is it the crc calculation on the first 256 chars causing the logs file to be considered as identical.<BR /> A workaround for this is to add crcSalt in inputs.conf, see <A href="http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/Inputsconf</A></P> <P>If there is no timestamp in the events, maybe the timestamp is extracted from the filename, please search over all time for source=<EM>myfile</EM></P> <P>Finally to check what the tailing processor is saying, use the REST API<BR /> <A href="https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus">https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus</A></P> Tue, 08 May 2012 22:12:26 GMT https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46556#M8794 yannK 2012-05-08T22:12:26Z https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46557#M8795 <P>the rest API was great, that provided good clues.. had to do with overlapping monitor stanzas. in old environment, server had separate folders, move to new one, I changed all monitor stanzas to the same folder, but apparently only one whitelist applied!</P> <P>Changed to a (x.log|y.log) etc, whitelist and one stanza...</P> Fri, 11 May 2012 17:31:07 GMT https://community.splunk.com/t5/Getting-Data-In/is-there-a-problem-with-logs-that-end-in-the-date/m-p/46557#M8795 mmattek 2012-05-11T17:31:07Z