I upgraded from 6.1.3 to 6.2.1 recently and noticed that some of my universal forwarders stopped sending certain logs. Upon further inspection, I noticed that it stopped sending logs that were specified with wildcards in the folder name, eg, c:\folder*logs\logs\*
. In splunkd.log
I see that it adds a watch on path c:\
. I know that Splunk is supposed to parse c:\folder*logs\logs\*
into something along the lines of
[monitor://c:\]
whitelist = folder*logs\logs\*
but this doesn't seem to be working anymore. I had to specify actual folder names to get it to work. Does anyone have any ideas? Or am I just crazy? Thanks!
Did you try explicitly setting recursive = true
?
Reference: Inputs.conf