inputs.conf monitoring multiple folders

rahulg · ‎02-16-2021

Hello there

i have inputs.conf

#[monitor:///opt/splunk/etc/apps/my_app/bin/out/.../*.gz]
#disabled=0
#index=security_my_index
#sourcetype=fzzz
#source=fdr
#interval=60

this is only indexing all the files under

/opt/splunk/etc/apps/my_app/bin/out/data/**

but data is not getting indexed from below locations

/opt/splunk/etc/apps/my_app/bin/out/fdrv2/aidmaster

/opt/splunk/etc/apps/my_app/bin/out/fdrv2/managedassets

any idea on this?

scelikok · ‎02-17-2021

Is it possible that the filenames on those folders are not matching *.gz ?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

rahulg · ‎02-17-2021

Now i tried to chaneg inputs.conf

[monitor:///opt/splunk/etc/apps/my_app/bin/out/]

whitelist = \.gz$
recursive = true
disabled=0
index=security_my_index
sourcetype=fzzz
source=fdr
interval=60

looks like files are getting read but not indexed

i see logs

INFO ArchiveProcessor - new tailer already processed path=

logs says

Are you a member of the Splunk Community?