We have Splunk forwarder deployed on a Windows server and inputs.conf is configured with two log sources.
[default] host = test_OP_CBE_AUX1 [monitor://C:\ClearPath\logs] whitelist = [\\]cpe2Pims-\d\d\d\d_\d\d_\d\d\.log$ index = pb sourcetype = json recursive = false disabled = false [monitor://C:\ClearPath\logs\CatalogUpdater] whitelist = [\\]UnclassifiedExtractor_splunk\.log index = pb sourcetype = json recursive = false disabled = false
However, we are seeing logs forwarded to Splunk indexer only from [monitor://C:\ClearPath\logs] and other source [monitor://C:\ClearPath\logs\CatalogUpdater] does not forward the logs.
If set disable to "true" for [monitor://C:\ClearPath\logs] -- we immediately see logs being forwarded from [monitor://C:\ClearPath\logs\CatalogUpdater]
This is not a licensing issue. Any inputs on what's causing this issue will be greatly appreciated.
This is a bit of a shot in the dark, but have you tried moving the second input stanza above the first one? Splunk plays by it's own set of order of operations, and maybe the recursive=disabled in the first stanza is blocking the second input which exists in a subdirectory.
anthonymelita - Problem solved!
You are the best and thank you so much for taking time to reply.
Cheers and a happy forth!
I'm not crazy about the
What about something like? -
[monitor://C:\ClearPath\logs\cpe2Pims-*.log] ..... [monitor://C:\ClearPath\logs\CatalogUpdater\UnclassifiedExtractor_splunk.log] .....
ddrillic - it's resolved after following the recommendation from Anthony. I appreciate you taking time to reply to my post and your willingness to help is greatly appreciated.
recursive = false applies on the entire
[monitor://C:\ClearPath\logs]. That's another reason why my suggestion should work and keep it clearer ; -)