Individual file monitor is working but not with the wildcards. I've tested a similar wildcard on local disk which is working.
# working [monitor://\\host.share.com\UploadData\support\data\_Customers\M\M123\M123\GRP-123\2013_01_16.23_00_57.191957\191957.disktool.txt] # not working [monitor://\\host.share.com\UploadData\support\data\_Customers\*\*\*\*\*\*.disktool.txt]
I think it's just that Splunk doesn't multiple similar stanzas for monitor rules that contain wild cards. Not sure if that's a performance setting? It seems and individual rule does work on the shares. This would be quite simple to do with a linux ls script to list out multiple files with a simple pattern. Hope a future update will simplify this type of monitor. I've been reading the doc below and testing out using props.conf with a single monitor rule. Hoping not to have also use transforms. http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/
I've been reading
And after a few aspirin, I've decided that the slash after the ellipse is escaping the asterisk thereby making it literal for the first one because the slash is a regex character. Unfortunately, why the last one works does not make sense, and the doc does not explain that much aspirin.
Regardless, I think that the ellipse wildcard should handle all of your wildcard needs, so I've updated the answer to remove the last \ and *.
Thanks, this works for one monitor stanza but introduces another issue since I have multiple monitor stanzas. Only one works at a time but if both are enabled, only the last one works. Both stanzas below are similar but one has disktool.txt and one has diskview.txt.