we have some problems with our inputs.conf for directory inputs in the following stanzas: [monitor:///pathToLogs/*/fixedPath/logForSourcetype1*.log] [monitor:///pathToLogs/*/fixedPath/logForSourcetype2*.log]
The goal here is to read the host and source type for the given input.
- host: through host_segment (first * in the stanzas)
- source type: through the name of the logfile(logForSourctype[1/2])
Our problem is, that as defined in the documentation, a monitor with wildcards gets separated into the monitor and a whitelist.
But as @sha_knowis mentioned, a monitor containing a wildcard gets converted into a monitor with an absolute file input path and a whitelist.
When you specify wildcards in a file input path, Splunk Enterprise creates an implicit whitelist for that stanza. The longest wildcard-free path becomes the monitor stanza, and Splunk Enterprise translates the wildcards into regular expressions.
So your example will result in two monitors with the file input path ///pathToLogs/ with different whitelists. But the file input paths of monitors must be unique. If not, the last monitor in inputs.conf wins.