I have log files coming in from a Windows Server and file I can receive the required files when I specify the specific filename however I need to use a wildcard and it does not seem to be working.
The log file I need to receive is named d:[path]\localhost_access_log.2019-11-08.txt but I would like to replace the date section with a wild card such as d:[path]\localhost_access_log.*.txt however the log stops when I use the wild card.
My inputs.conf looks like:
[monitor://D:\[path]\logs\] whitelist=localhost_access_log*txt disabled = 0
I've tried numerous variations such as * ... etc as I've seen referenced in various post, however none have worked.
When I include the exact file name in the the monitor section, the log works fine, however I need the date to be wildcarded.
Any suggestions greatly appreciated.
[monitor://D:\[path]\logs\localhost_access_log.*.txt] disabled = 0
The reason that you think that it is not working is because you are probably testing it wrong. By default, Splunk will NOT resend a file just because you change the name; you have to change the content, too. Put this setting in place, then restart Splunk there, then manually create a new file that should be forwarded and fill it with anything but what is already there. It will work.
disabled = 0
if it did not work, you have to troubleshoot the input.
Your solution was no provided in the "Answer" section, only as a comment so I am unable to accept the answer. IF you copy it in the "Post your answer". I can then accept it is correct.