Splunk Tailing Errors


ok, my sources use syntax like \dir\dir\...\log so that it recursively finds all of my log files.

but now i see this in Splunk errors report (splunk v4.3.1 for linux)

03-19-2012 13:11:32.755 -0400 ERROR TailingProcessor - matching /logs/syslog/ironports/hostA/2012/03/ against ^/logs/syslog/ironports/.*/log$

  1. so why the tailing error? kinda a silly event as it gives no info as to what the error was.
  2. why does this report show a modified regex for the dir path? me personally, i dont like configs to look like one thing in one place and something else in another place. so instead of using ... in my source paths i should use .* ?? (question marks to indicate this is a question, etc)
Tags (2)
0 Karma

Splunk Employee
Splunk Employee

The reason for the second one is that Splunk uses PCRE internally to implement the filters. The log message reflects the regex as used internally.

0 Karma