We are using SplunkUniversalForwarder 4.2.3 x64 to forward some logs. inputs.conf has the following stanzas
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs\CustomMSTRLog*] 
disabled = 0 
sourcetype = stg_mstr_esm_log 
crcSalt = 
[WinEventLog:Application]
disabled = 0
[WinEventLog:System]
disabled = 0
Eventlogs are getting forwarded without any issues but the apache logs are not. I am not seeing any errors in splunkd.log on the forwarder.
I was able to resolve the issue using a whitelist. I think the wild card does not work because (x86) in the path.
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs]
whitelist = Custom[^/]*.log$
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt = 
I was able to resolve the issue using a whitelist. I think the wild card does not work because (x86) in the path.
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs]
whitelist = Custom[^/]*.log$
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt = 
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi anaptshah
there are many things, that could prevent a file from being read by the universal forwarder:
splunkd.exe list monitor show your stanza with the correct path?hope this helps a bit and you get it fixed.
cheers
I uploaded the incorrect stanza, the stanza thats not working is as follows
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs\CustomMSTRLog*]
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt = 
splunkd.exe list monitor shows the directory but does not show any of the files. Is there something special about (x86)? The stanza on the original post works fine.
