Getting Data In

After upgrading from Splunk 6.1.3 to 6.2.1, why did universal forwarders stop sending logs that were specified with wildcards in the inputs.conf monitor stanzas?

mikehodges01
Explorer

I upgraded from 6.1.3 to 6.2.1 recently and noticed that some of my universal forwarders stopped sending certain logs. Upon further inspection, I noticed that it stopped sending logs that were specified with wildcards in the folder name, eg, c:\folder*logs\logs\*. In splunkd.log I see that it adds a watch on path c:\. I know that Splunk is supposed to parse c:\folder*logs\logs\* into something along the lines of

[monitor://c:\]
whitelist = folder*logs\logs\*

but this doesn't seem to be working anymore. I had to specify actual folder names to get it to work. Does anyone have any ideas? Or am I just crazy? Thanks!

0 Karma

mikebd
Path Finder

Did you try explicitly setting recursive = true?
Reference: Inputs.conf

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...