https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-Look-For-Logs-Inside-Folders/m-p/529020#M89150 <P>Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.&nbsp; Try these settings.</P><LI-CODE lang="markup">[monitor://C:\Systems\System\Logs\...\*.txt] index = MyIndex disabled = 0 recursive = true _TCP_ROUTING = my_config</LI-CODE> Wed, 11 Nov 2020 19:10:36 GMT richgalloway 2020-11-11T19:10:36Z https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-Look-For-Logs-Inside-Folders/m-p/529013#M89149 <P><STRONG>Hello all! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</STRONG></P><P>I'm currently implementing <STRONG>Splunk</STRONG> inside one of our company systems. It happens so that the logging structure works like this:</P><P><FONT face="courier new,courier">C:\Systems\System\Logs\A_Lot_Of_Folders\2020(year)\11(month)\day.txt</FONT></P><P>Since I have a lot of folders inside the <STRONG>Logs</STRONG> structure, I configured my stanza like this:</P><P><FONT face="courier new,courier">[monitor://C:\Systems\System\Logs\*]</FONT><BR /><FONT face="courier new,courier">index = MyIndex</FONT><BR /><FONT face="courier new,courier">disabled = 0</FONT><BR /><FONT face="courier new,courier">_TCP_ROUTING = my_config</FONT></P><P><STRONG>I have also tried:</STRONG></P><P><FONT face="courier new,courier">[monitor://C:\Systems\System\Logs]</FONT><BR /><FONT face="courier new,courier">index = MyIndex</FONT><BR /><FONT face="courier new,courier">disabled = 0</FONT><BR /><FONT face="courier new,courier">_TCP_ROUTING = my_config</FONT></P><P><STRONG>But my Universal Forwarder won't look up inside the folders that I have inside the Logs directory.</STRONG></P><P><STRONG>Question 1:</STRONG> Is there a way to config a "global stanza setting" so the Universal Forwarder will look for every new event inside all of the folders or I will have to work with the hard way, configuring each and every folder with a new monitor stanza?</P><P><STRONG>Question 2</STRONG>: Is there a way to automate whenever we turn to the next month or next year so I won't have to go back and configure all the stanzas with the current year/month that we are?</P><P>In terms of troubleshooting, I've already restarted the service and I have connectivity with the Splunk destination.</P><P>Thank you in advance!</P> Wed, 11 Nov 2020 18:44:18 GMT https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-Look-For-Logs-Inside-Folders/m-p/529013#M89149 luteixeira 2020-11-11T18:44:18Z https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-Look-For-Logs-Inside-Folders/m-p/529020#M89150 <P>Universal Forwarders are supposed to recursively monitor subdirectories automatically, but perhaps another setting disabled that.&nbsp; Try these settings.</P><LI-CODE lang="markup">[monitor://C:\Systems\System\Logs\...\*.txt] index = MyIndex disabled = 0 recursive = true _TCP_ROUTING = my_config</LI-CODE> Wed, 11 Nov 2020 19:10:36 GMT https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-Look-For-Logs-Inside-Folders/m-p/529020#M89150 richgalloway 2020-11-11T19:10:36Z https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-Look-For-Logs-Inside-Folders/m-p/529038#M89153 <P>Hello, Rich!</P><P>Thank you for your reply. Just upvoted your comment since the recursive attribute resolved both of my problems.</P><P>You're awesome!</P><P>Thank you again</P> Wed, 11 Nov 2020 20:31:49 GMT https://community.splunk.com/t5/Getting-Data-In/Make-Splunk-Look-For-Logs-Inside-Folders/m-p/529038#M89153 luteixeira 2020-11-11T20:31:49Z