I have a number of log-rotated files for mail.log in the /var/log folder on a unix system. The /var/log/mail.log file gets ingested just fine, so I know permissions aren't an issue. However, I'd like to also ingest the older data that was log-rotated, but for the purpose of ingesting, those files were untarred again, so I have mail.log.1 to mail.log.4
I have tried numerous stanzas and regexes in the whitelist, but none lead to the older data getting ingested.
The one I currently have in place is:
[monitor:///var/log/]
index = postfix
sourcetype = postfix_syslog
whitelist = (mail\.log$|mail\.log\.\d+)
Thanks for any suggestions in advance.
Thanks Giuseppe,
I don't see any historical data in my index as yet, this is what's in the splunkd.log file
Hi @rene_splunk,
please try this:
[monitor:///var/log/mail.log*]
index = postfix
sourcetype = postfix_syslog
Ciao.
Giuseppe