I have a log structure like so:
/opt/data/logs/tomcat/foo or /opt/data/logs/tomcat/bar
the logs themselves are something like log1.out.2012-05-01, etc.
I've tried several monitor stanzas like:
[monitor:///opt/data/logs/tomcat/.../*]
whitelist: foo\.out\.*
or
[monitor:///opt/data/logs/tomcat/.../foo\.out\.*]
but nothing is picking up these logs...
The monitor path looks good.
Are your file starting with the same first lines ?
Maybe is it the crc calculation on the first 256 chars causing the logs file to be considered as identical.
A workaround for this is to add crcSalt in inputs.conf, see http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/Inputsconf
If there is no timestamp in the events, maybe the timestamp is extracted from the filename, please search over all time for source=myfile
Finally to check what the tailing processor is saying, use the REST API
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
the rest API was great, that provided good clues.. had to do with overlapping monitor stanzas. in old environment, server had separate folders, move to new one, I changed all monitor stanzas to the same folder, but apparently only one whitelist applied!
Changed to a (x.log|y.log) etc, whitelist and one stanza...
I think web mangled... I had the "." characters escaped, btw