My inputs.conf contains:
disabled = false
followTail = 0
host_regex = /usr/local/ecc_to_splunk/pickup/(\w+)
sourcetype = clariion_sp
but I'm getting this in splunkd.log:
INFO TailingProcessor - No configurations match, will ignore path='/usr/local/ecc_to_splunk/pickup/APM00084800327.sp.20101221'
It doesn't make a lot of sense as I have an almost identical monitor that's working fine - [monitor:///usr/local/ecc_to_splunk/pickup/*.disk.*]
Thanks in advance.
Silly troubleshooting tip here, but does the user that Splunk is running as have read permission for those files?
yes, splunk is running as root and the .sp files have identical permissions to the other files in the same dir that are getting picked up. thanks.