Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After upgrading from Splunk 6.1.3 to 6.2.1, why did universal forwarders stop sending logs that were specified with wildcards in the inputs.conf monitor stanzas?

mikehodges01
Explorer
‎04-13-2015 01:36 PM

I upgraded from 6.1.3 to 6.2.1 recently and noticed that some of my universal forwarders stopped sending certain logs. Upon further inspection, I noticed that it stopped sending logs that were specified with wildcards in the folder name, eg, c:\folder*logs\logs\*. In splunkd.log I see that it adds a watch on path c:\. I know that Splunk is supposed to parse c:\folder*logs\logs\* into something along the lines of

[monitor://c:\]
whitelist = folder*logs\logs\*

but this doesn't seem to be working anymore. I had to specify actual folder names to get it to work. Does anyone have any ideas? Or am I just crazy? Thanks!

0 Karma
Reply

mikebd
Path Finder
‎06-21-2015 02:45 AM

Did you try explicitly setting recursive = true?
Reference: Inputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...