Currently, I have setup inputs.conf, Splunk is reading all the directories in the inputs file- but not reading one file.
I tried using crcSalt but nothing works.
It's reading first 3 monitor paths but not reading the last one.
All three are from the same server and the log exists.
[monitor://D:\Talx.xxx\EDRService.xxxx\AppLogs*] disabled = false recursive = false index = xxxxxx sourcetype = xxxxxx [monitor://D:\AuditAndxxxxxx\TWNEmployerServiceP0xxxxxx.trace.*] disabled = false recursive = false index = xxxxx sourcetype = xxxxxx [monitor://D:\AuditAndxxxxx\TWNEmployerxxxxx.*] disabled = false recursive = false index = xxxxx sourcetype = xxxxxx [monitor://D:\Talx.xxxxxxx\TWNEmployer.xxxxxx_Logs\AppLogs.*] disabled = false recursive = false index = pxxxxxx crcSalt = sourcetype = xxxxxxxxxxx
Verify Splunk has read access to the directories and files it is to monitor.
Check splunkd.log for related error messages.
splunk btool --debug inputs list to verify the configuration.
splunk list monitor to verify what Splunk is monitoring.
To help future readers, please add and accept an answer explaining how you resolved the problem.
hi i am not able to accept the answer , i cannot see the accept answer button. In my monitoring path i had an extra space so its not reading the logs , i removed the extra space and i restart the forwarder , it starts flowing the logs.