I need help with setting these wild cards, it seems like Splunk is not picking up the file in the sub folders. Logs are in:
There is data in the sub folder in /year/month/day/day/, and then there are the file names that seem random, but start with APP and end with LOG.
Below is what I have set up and no data is coming in.
disabled = false
recursive = false
sourcetype = blah
index = foofooblahhhhhh
The three dots are already recursive, so you should be able to try:
And have it work correctly. It's possible the multiples of those are throwing off the parser.
View solution in original post
Also set recursive to true, or else Splunk won't monitor sub-directories at all.
Also you may want to change the last bit so its (BEGINNING)*.LOG (or w/e the file extension is if there is one), so for example APP*.LOG. However if it's just a plain file (no extension) then your way should be fine.