I have installed Universal forwarder on one of the box that I need to monitor.In that machine I want to monitor a particular folder under E drive, say E:\Splunk. The splunk folder has inturn two more directories ftplogs and NPCI. The NPCI inturn has set of directories which inturn has some logs in it. Splunk can monitor only few directories under NPCI but not all, why is it happening so? Need your suggestion.
Thanks in advance for your help!
It is likely that the files contain identical content in important sections and have the same CRC so are being interpreted as the same file (only forward it once):
You can Salt with the filename with
crcSalt= so this will not happen.
To be more clear i shall say this way E:\Splunk has 2 folders ftplogs and ncpi. ftplogs has 5 more folders in it say a,b,c,d,e. the folder a has 10 log files in it with names SystemOut_14.03.2014_18.07.01, SystemOut_14.03.2014_18.07.02 like that ....till 18.07.10. But from SPLUNK machine I could just view only the first log file but not the rest, though I gave monitor=[E:\Splunk] under inputs.conf file
Impossible to say without more details. General troubleshooting tips: check splunkd.log for errors, use amrit's script at http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ to see which file inputs Splunk has and what status they have.