This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: inputs.conf forwarding from the same directory...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf forwarding from the same directory issue
Dark_Ichigo
Builder
07-07-2014
08:34 PM
Only the first Stanza works, when I comment out one of them, it works fine, but no matter what happens, I cant get them both to work...
Only highlighted logs are forwarded.
# logs1
[monitor:///home/mmm/logs/mmm.log*]
sourcetype = Core
index = CoreLog
_TCP_ROUTING = umm
#recursive = false
#whitelist = mmm\.log(\.1)?
# logs2
[monitor:///home/mmm/logs/mmm/smmm.log*]
sourcetype = CoreSMS
index = CoreLog
_TCP_ROUTING = umm
whitelist = smmm\.log(\.\d+\-\d+\-\d+)?
This widget could not be displayed.
This widget could not be displayed.
Reply
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
musskopf
Builder
07-07-2014
08:45 PM
Have you tried like this:
# logs1
[monitor:///home/mmm/logs/mmm.log*]
sourcetype = Core
index = CoreLog
_TCP_ROUTING = umm
recursive = false
# logs2
[monitor:///home/mmm/logs/mmm/smmm.log*]
sourcetype = CoreSMS
index = CoreLog
_TCP_ROUTING = umm
recursive = false
Also, does your SUF shows any error message in the logs?
This widget could not be displayed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
musskopf
Builder
07-08-2014
03:48 PM
Yeah, it might be a bug actually. Have a look on this post:
This widget could not be displayed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dark_Ichigo
Builder
07-07-2014
11:30 PM
Sorry, I have tried the above on multiple instances, but the same issue remains....
Could this be due to the fact that #log2 stanza is pointing at a Sub directory as opposed to the #log1 stanza which is one directory above it??
This widget could not be displayed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
musskopf
Builder
07-07-2014
09:22 PM
Splunk Universal Forwarder. I imagine tei config you pasted there in not from the inputs.conf on the Splunk Server but from some other box running a forwarder (splunk agent)
This widget could not be displayed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dark_Ichigo
Builder
07-07-2014
09:20 PM
Whats a SUF?
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
Get Updates on the Splunk Community!
Data Management Digest – December 2025
This widget could not be displayed.
Index This | What is broken 80% of the time by February?
This widget could not be displayed.
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
This widget could not be displayed.
This widget could not be displayed.