https://community.splunk.com/t5/Splunk-Search/Cannot-search-log-that-is-configured-on-forwarder-using-wildcard/m-p/144868#M40354 <P>I configured my forwarder as :</P> <P>[monitor:///sumoprd/app/oracle/prod/xeware/usr_projects/domains/bifoundation_domain/servers/bi_server1/logs/<EM>/</EM>.log]<BR /> disabled = false<BR /> followTail = 0<BR /> host = sumosamprd76<BR /> index = prd<BR /> sourcetype = sumologs</P> <P>But why is it I cannot search the logs under "logger/simlog.log" logfile when I ran the below query? Is there something wrong in configuring forwarder with wild card (i.e asterisk)?</P> <P>source=/sumoprd/app/oracle/prod/xeware/usr_projects/domains/bifoundation_domain/servers/bi_server1/logs/logger/simlog.log</P> <P>Please help. thanks</P> Mon, 28 Sep 2020 18:57:50 GMT Isaias_Garcia 2020-09-28T18:57:50Z https://community.splunk.com/t5/Splunk-Search/Cannot-search-log-that-is-configured-on-forwarder-using-wildcard/m-p/144868#M40354 <P>I configured my forwarder as :</P> <P>[monitor:///sumoprd/app/oracle/prod/xeware/usr_projects/domains/bifoundation_domain/servers/bi_server1/logs/<EM>/</EM>.log]<BR /> disabled = false<BR /> followTail = 0<BR /> host = sumosamprd76<BR /> index = prd<BR /> sourcetype = sumologs</P> <P>But why is it I cannot search the logs under "logger/simlog.log" logfile when I ran the below query? Is there something wrong in configuring forwarder with wild card (i.e asterisk)?</P> <P>source=/sumoprd/app/oracle/prod/xeware/usr_projects/domains/bifoundation_domain/servers/bi_server1/logs/logger/simlog.log</P> <P>Please help. thanks</P> Mon, 28 Sep 2020 18:57:50 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-search-log-that-is-configured-on-forwarder-using-wildcard/m-p/144868#M40354 Isaias_Garcia 2020-09-28T18:57:50Z https://community.splunk.com/t5/Splunk-Search/Cannot-search-log-that-is-configured-on-forwarder-using-wildcard/m-p/144869#M40355 <P>monitor is specified.</P> <PRE><CODE>[monitor:///sumoprd/app/oracle/prod/xeware/usr_projects/domains/bifoundation_domain/servers/bi_server1/logs//.log] </CODE></PRE> <P>↓</P> <PRE><CODE>[monitor:///sumoprd/app/oracle/prod/xeware/usr_projects/domains/bifoundation_domain/servers/bi_server1/logs/*.log] </CODE></PRE> <P>(EX.)<BR /> To monitor any file directly under /apache/ that ends in .log:<BR /> [monitor:///apache/*.log]</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Specifyinputpathswithwildcards">http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Specifyinputpathswithwildcards</A></P> <P>Be considered as a reason you can not search<BR /> 1. Has not been taken up log<BR /> 2. INDEX of interest is not the default search<BR /> → Please add "index = prd" in the search condition.<BR /> 3. Is wrong specified SOURCE</P> Mon, 16 Feb 2015 05:12:53 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-search-log-that-is-configured-on-forwarder-using-wildcard/m-p/144869#M40355 HiroshiSatoh 2015-02-16T05:12:53Z https://community.splunk.com/t5/Splunk-Search/Cannot-search-log-that-is-configured-on-forwarder-using-wildcard/m-p/144870#M40356 <P>cheers! thanks</P> Wed, 18 Feb 2015 05:45:14 GMT https://community.splunk.com/t5/Splunk-Search/Cannot-search-log-that-is-configured-on-forwarder-using-wildcard/m-p/144870#M40356 Isaias_Garcia 2015-02-18T05:45:14Z