We are new to Splunk and are trying it before we buy it. I am having trouble getting Splunk to monitor the individual log files that capture transaction data, of which there is one for each register in each store, and each store has its own subdirectory off of the main directory.
All of the files in question are named ####_#_scanLog, where #### is the store number and # is the terminal number. Each store's files are in a directory named ####_scanLogs, where, again, the #### is the store number. I have tried the following in inputs.conf, and none have worked:
[monitor:///usr/local/copient/logs/*_scanLogs]
disabled = false
index = transactions
sourcetype = scanlog
crcSalt = <SOURCE>
[monitor:///usr/local/copient/logs/*_scanLogs/*_scanLog]
disabled = false
index = transactions
sourcetype = scanlog
crcSalt = <SOURCE>
[monitor:///usr/local/copient/logs/]
disabled = false
index = transactions
sourcetype = scanlog
crcSalt = <SOURCE>
whitelist = *_scanLog
[monitor:///usr/local/copient/logs/]
disabled = false
index = transactions
sourcetype = scanlog
crcSalt = <SOURCE>
None of these have worked. In addition to this monitoring stanza, we also have two others which monitor specific files within the logs directory, and these work fine.
Any ideas would be appreciated.
What about:
[monitor:///usr/local/copient/logs/.../*_scanLog]
disabled = false
index = transactions
sourcetype = scanlog
Note that I've removed the crcSalt.
What about:
[monitor:///usr/local/copient/logs/.../*_scanLog]
disabled = false
index = transactions
sourcetype = scanlog
Note that I've removed the crcSalt.