Hi,
How would I tell splunk to monitor a specific file through a set of subdirectories? Would I set a wildcard in the monitor statement? Should I use a whitelist?
I would aim the monitor at the higher level common directory and whitelist.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Whitelistorblacklistspecificincomingdata
Example:
[monitor:///data1/logs/]
whitelist = logfileyouwant.log
That should just grab that file name regardless where it shows up in all the different subdirectories under /data1/logs/
I would aim the monitor at the higher level common directory and whitelist.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Whitelistorblacklistspecificincomingdata
Example:
[monitor:///data1/logs/]
whitelist = logfileyouwant.log
That should just grab that file name regardless where it shows up in all the different subdirectories under /data1/logs/