Hello,

I have something strange going on.  I need to monitor logs from three different systems.  thus far I have only built one system, so there are only logs from one system present.

the three systems are:

sldvuspeedtest01p

ptdvuspeedtest01p

tsdvuspeedtest01p

while it's always tempting to go crazy with regex's, I tried the more simple version first:

[monitor:///opt/syslog/*speedtest*]
index=isp
sourcetype=speedtest
whitelist= \.log$
blacklist = (default[a-zA-Z0-9\_\-]+)\.log
#host_regex = \/opt\/syslog\/(.*)/
host_segment=3

but splunk will only load the syslog files if the stanza reads:

[monitor:///opt/syslog/sldvuspeedtest01p].

so when I tried the previous version, and then run 

"splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus"

I see the following lines:

<s:key name="/opt/syslog/sldvuspeedtest01p/syslog_2023-02-24.log">
<s:dict>
<s:key name="parent">/opt/syslog/zayo_devices_new</s:key>
<s:key name="type">File did not match whitelist '^\/opt\/syslog/[^/]*\.docker/syslog_[^/]*\.log$'.</s:key>
</s:dict>
</s:key>

There is a stanza for that "parent", but why would splunk even confuse the two?  is there a heirarchy in which monitor stanzas are loaded in that I am running awry of?

There is also a separate stanza [monitor:///opt/syslog/*.docker/syslog_*.log] but it doesn't make sense why it would be referred to here either.

[monitor:///opt/syslog/zayo_devices_new]
whitelist = \.log$
blacklist = (Health[a-zA-Z0-9\_\-]+)\.log
index=z_catchall
sourcetype = zayo_routing
host_regex = zayo_devices_new/(.*)\_