So, this is my problem area of a inputs.conf file on a box with a 4.2.2 universal forwarder:
Directory names made up here, but you get the idea.
[monitor://C:\Program Files (x86)\DirectoryName\...\Logs]
sourcetype = pah
index = sandbox
disabled = false
The problem is that regardless of if I use a ... or an * it refuses to even acknowledge the paths I want. Further, there are no indications of ANY errors in the logs.
The two paths I'm trying to monitor with this wildcard are:
C:\Program Files
(x86)\DirectoryName\Name Name Name -
Test\Logs
C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live\Logs
Important to note that if I remove the wildcard and just use:
C:\Program Files
(x86)\DirectoryName\Name Name Name -
Live
It recursively loads all the files just fine. Before you ask, I've cleaned the index and to be certain I've even manually created new files in there for it to pick up, which it doesn't.
Any idea why this isn't working?
I was having this same issue yesterday, and as explained by jrodman when you use the wildcard, it then "changes" how it's looking at that path and is looking for the filename to end at "Logs". Not exactly how he explained it, but close.
Modify your monitor stanza, adding "\*" to the end and it should begin working. You can query the REST api to find out why it is or isn't picking up files at the following url:
https://
You'll need to have changed the default admin password unless you're connecting via localhost. If you look at this url now, it should list the files under your Logs directory, but complain that they don't match the whitelist of: C:\Program Files (x86)\DirectoryName.*\Logs$
On the forwarder, what do you get when you run
cd \Program Files\splunk\bin
splunk list monitor
The output of the "splunk list" command should give you some hint of what splunk is doing...