Getting Data In

directory monitor not picking up file

Explorer

My inputs.conf contains:

[monitor:///usr/local/ecc_to_splunk/pickup/*.sp.*]
disabled = false
followTail = 0
host =
host_regex = /usr/local/ecc_to_splunk/pickup/(\w+)
sourcetype = clariion_sp

/usr/local/ecc_to_splunk/pickup contains:
APM00083100781.sp.20101221
APM00083100781.sp.20101222
APM00083100781.sp.20101223
APM00084800327.sp.20101221
APM00084800327.sp.20101222
APM00084800327.sp.20101223
APM00094100281.sp.20101221
APM00094100281.sp.20101222
APM00094100281.sp.20101223

but I'm getting this in splunkd.log: INFO TailingProcessor - No configurations match, will ignore path='/usr/local/ecc_to_splunk/pickup/APM00084800327.sp.20101221'

It doesn't make a lot of sense as I have an almost identical monitor that's working fine - [monitor:///usr/local/ecc_to_splunk/pickup/*.disk.*]

Thanks in advance.

0 Karma

Communicator

Silly troubleshooting tip here, but does the user that Splunk is running as have read permission for those files?

0 Karma

Explorer

yes, splunk is running as root and the .sp files have identical permissions to the other files in the same dir that are getting picked up. thanks.

0 Karma