Getting Data In
Highlighted

Why are the logs being forwarder from one source to the Splunk indexer in a Splunk forwader deployed on a Windows server?

Explorer

Hi there,
We have Splunk forwarder deployed on a Windows server and inputs.conf is configured with two log sources.

[default]
host = test_OP_CBE_AUX1

[monitor://C:\ClearPath\logs]
whitelist = [\\]cpe2Pims-\d\d\d\d_\d\d_\d\d\.log$
index = pb
sourcetype = json
recursive = false
disabled = false

[monitor://C:\ClearPath\logs\CatalogUpdater]
whitelist = [\\]UnclassifiedExtractor_splunk\.log
index = pb
sourcetype = json
recursive = false
disabled = false

However, we are seeing logs forwarded to Splunk indexer only from [monitor://C:\ClearPath\logs] and other source [monitor://C:\ClearPath\logs\CatalogUpdater] does not forward the logs.

If set disable to "true" for [monitor://C:\ClearPath\logs] -- we immediately see logs being forwarded from [monitor://C:\ClearPath\logs\CatalogUpdater]

This is not a licensing issue. Any inputs on what's causing this issue will be greatly appreciated.

Cheers,
Pam

Highlighted

Re: Why are the logs being forwarder from one source to the Splunk indexer in a Splunk forwader deployed on a Windows server?

Communicator

This is a bit of a shot in the dark, but have you tried moving the second input stanza above the first one? Splunk plays by it's own set of order of operations, and maybe the recursive=disabled in the first stanza is blocking the second input which exists in a subdirectory.

View solution in original post

0 Karma
Highlighted

Re: Why are the logs being forwarder from one source to the Splunk indexer in a Splunk forwader deployed on a Windows server?

Explorer

anthonymelita - Problem solved!

You are the best and thank you so much for taking time to reply.

Cheers and a happy forth!

0 Karma
Highlighted

Re: Why are the logs being forwarder from one source to the Splunk indexer in a Splunk forwader deployed on a Windows server?

Ultra Champion

I'm not crazy about the whitelist way.

What about something like? -

[monitor://C:\ClearPath\logs\cpe2Pims-*.log]
.....

[monitor://C:\ClearPath\logs\CatalogUpdater\UnclassifiedExtractor_splunk.log]
.....

It's simpler...

0 Karma
Highlighted

Re: Why are the logs being forwarder from one source to the Splunk indexer in a Splunk forwader deployed on a Windows server?

Explorer

ddrillic - it's resolved after following the recommendation from Anthony. I appreciate you taking time to reply to my post and your willingness to help is greatly appreciated.

0 Karma
Highlighted

Re: Why are the logs being forwarder from one source to the Splunk indexer in a Splunk forwader deployed on a Windows server?

Ultra Champion

Sounds great! recursive = false applies on the entire [monitor://C:\ClearPath\logs]. That's another reason why my suggestion should work and keep it clearer ; -)

0 Karma