Yes, I can see all the splunkd logs and windows logs getting ingested. As of this morning there is data in the malware index. I think because splunk read the files once in the dev environment, it did not read them again in the production environment? I am not sure as a new file was created last night/early this morning and that information was ingested. All the old *.txt files that were present while we were running tests in dev did not get ingested.

That seems weird to me as dev and prod are completely separate instances. But it is working now. Thanks all

Hi,
can you pls give me the idea how it is working for you, I also have same issue and can see other security and windows event logs in splunk but when I configured some text file on 😧 drive it is not picking there in splunk.
Please guide me.

Thanks,
Ankit

FYI, your inputs.conf works for me.

Yes I have an index called malware in production
I do not have a props.conf for the sourcetype malware, as I did not need one in dev
Yesterday was the last day that files were written out to the directory that we are monitoring the *.txt files

And splunkd shows nothing out of the ordinary.

Check splunk btool inputs list monitor if your config is applied correctly and check splunk list inputstatus if Splunk is reading the directory and the files?
Check if your service account has permission to read files in that directory?
Check on any intermediate parsing layer, if there are nullQueues configured?
Check index=_internal sourcetype=splunkd source=*metrics.log series=*Syslodg* over all time to get some information if data was sent?
Search the index over all time, maybe you have some timestamping issue?
Last resort tcpdump the traffic to see if the input instance is sending out events and they get lost somewhere?

This list is almost never-ending ... Good luck and I hope you find the missing puzzle piece.

cheers, MuS