I've been having issues with wildcarded input monitoring. In an attempt to adjust for an issue with file path naming across a number of servers.
My original/working stanza. Disregard ellipses, I've shortened the path for this posting:
- [monitor://D:\Program Files\Microsoft\...\MessageTracking]
My adjusted/wildcarded stanzas that have not worked for input on any of our. Disregard ellipses, I've shortened the path for this posting to increase readability:
- [monitor://D:\*\Microsoft\...\MessageTracking]
- [monitor://D:\Prog*am Files\Microsoft\...\MessageTracking]
- [monitor://D:\*Files\Microsoft\...\MessageTracking]
I don't appear to receive an error message after this change, but logs completely drop off when wildcard is put into the deployed configuration.
Unfortunately, I've no direct access to the endpoint. I've resolved the issue by putting in a secondary input stanza to account for the file path difference.
Unfortunately, I've no direct access to the endpoint. I've resolved the issue by putting in a secondary input stanza to account for the file path difference.
Can you run
$SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
to check if it provides any hints as to why your wildcards don't match? Many moons ago, spaces in wild-carded directories on Windows caused issues, but those should be fixed by now. I don't really see anything wrong with your config.