I have several servers with SQL logs that are in the format:
I have tried all kinds of wildcard variations, but I cannot get Splunk to index these files. I can see from the internal logs that Splunk says it is watching the file, yet it never indexes any data from it. Anyone face a similar issue?
Can you try something like this (assuming files with extension .1/.2 are rollover files and doesn't have to be monitored)
[monitor://D:\Your Path\To Log File\Till TheFolder\Containing The\SQL Logs] whitelist = sqlerror$ index = yourindex sourcetype = yoursourcetype
Does the Splunk user have permission to read the files? Maybe if you check the windows security and application logs, you will find more details such as an access denied, etc.
I would think that if the internal logs indicate that it is being watched then permissions "should" be correct - I really hate the word "should" - but Windows permissions could be very funky.
You need some special privileges to run a Windows service as your own userid (and not really recommended anyway), so perhaps those are not all set up. Can you run the service a Local System (or an MSA) to test for different behaviour?
I hate to ask again, but did you check the windows event logs? I know it's cliche but they've seriously saved my butt on more than one occasion only after I said... hmphh there wont be anything in THOSE logs about THIS issue.
Splunk definitely doesn't care about file extension in general. You should be able to collect logs with no extension without troubles (I did it many times exactly with sql related files).
I guess your problem is somewhere else, aka the watch on path is correct but there is something else wrong going on. Take a look at this page of the Splunk wiki for troubleshooting the input monitoring process: http://wiki.splunk.com/Community:TroubleshootingMonitorInputs
Hope it helps,
Point of clarification: When you say "SQL Server Logs" - are we referring to plain text log files about the running of the SQL Server? Or are we talking about Transaction log files?