I upgraded from 6.1.3 to 6.2.1 recently and noticed that some of my universal forwarders stopped sending certain logs. Upon further inspection, I noticed that it stopped sending logs that were specified with wildcards in the folder name, eg, c:\folder*logs\logs\*. In splunkd.log I see that it adds a watch on path c:\. I know that Splunk is supposed to parse c:\folder*logs\logs\* into something along the lines of
whitelist = folder*logs\logs\*
but this doesn't seem to be working anymore. I had to specify actual folder names to get it to work. Does anyone have any ideas? Or am I just crazy? Thanks!