I am trying to pull in a several log files that are always being updated from a folder on Windows. Here is my inputs.conf
[monitor://C:\Siebel\sba81\siebsrvr\BIN\*.log] index=siebel sourcetype=siebel_scg_logs
But the results in splunk only show one file ignoring all the other ones. Any idea why Splunk is not gathering the other log files in the directory? Did I miss something in the stanza I needed?
" * " doesn't work as expected in windows
This should work
[monitor://C:\Siebel\sba81\siebsrvr\BIN\] index=siebel sourcetype=siebel_scg_logs whitelist=\.log$
That is not exactly true, you just need to 'know' what to expect. If you want to get dizzy you can read the rules:
My guess is that splunk is treating \* as regex not a * wildcard. Regardless, I believe the example in the doc says that \* does not work in Windows; you should expect it to fail.
This script will help you in determining what status Splunk has for your monitor inputs: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/
You should post your monitor string as code (select the 101010 format option at the top).
Escape characters are important in a monitor string.
Would it be possible for you to tell the filenames present in the folder?