Getting Data In

After upgrading from Splunk 6.1.3 to 6.2.1, why did universal forwarders stop sending logs that were specified with wildcards in the inputs.conf monitor stanzas?

Explorer

I upgraded from 6.1.3 to 6.2.1 recently and noticed that some of my universal forwarders stopped sending certain logs. Upon further inspection, I noticed that it stopped sending logs that were specified with wildcards in the folder name, eg, c:\folder*logs\logs\*. In splunkd.log I see that it adds a watch on path c:\. I know that Splunk is supposed to parse c:\folder*logs\logs\* into something along the lines of

[monitor://c:\]
whitelist = folder*logs\logs\*

but this doesn't seem to be working anymore. I had to specify actual folder names to get it to work. Does anyone have any ideas? Or am I just crazy? Thanks!

0 Karma

Path Finder

Did you try explicitly setting recursive = true?
Reference: Inputs.conf

0 Karma