I have an inputs.conf file that had a monitor statement like:
Files are NOT being picked up. If I get rid of the * and put a file name like:
it works fine.
How do I escape out the "_" or use a Regex to get the correct filenames?
This seems like a bug, based on what you have described here. I would file a support ticket.
But I think there may also be a work-around.
First, for the stanza, do either of these work?
If you can make it work for a wider selection of directories (I know that isn't optimal), then you can restrict using the whitelist:
This whitelist should work for either of the stanzas above. Whitelists are regular expressions, stanzas are not.
Submitted a ticket to support.
Tried your suggestions above and it did NOT work.
Even looking in the logs I see where Splunk is reading the values from inputs.conf but no files get picked up and show up in WatchedFile.