We see the following -
02-09-2017 21:12:49.973 -0600 INFO TailingProcessor - Parsing configuration stanza: monitor://E:\logs\sessiondelete\*_DELETESCRIPT.log.
02-09-2017 21:12:49.973 -0600 INFO TailingProcessor - Adding watch on path: E:\logs\sessiondelete.
But they don't reach the indexers. Any ideas?
The forwarder should be sending internal data to Indexers, do you at least see that (to confirm that outputs.conf is configured correctly, check index=internal host=yourForwarder ). Also, restart your forwarder and check the splunkd.log for errors and warning, you may catch something relevant.
Windows doesn't play well with wild cards on the monitor path. Try using whiteliest and blacklist instead to wild card your file names.
Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:
Splunk Enterprise logs an error and fails to index the desired files.
This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues.
This might have been fixed in later versions, I'm not sure.