Hi,
I need to monitor a specific file that can exist in many subdirectories. The file exists below this directory: F:\IBM\WebSphere\AppServer\profiles\RTCGW_Profile\logs>
My inputs.conf looks like this. I'm not getting the SystemOut.log or SystemErr.log, even though they exist and are generating data. Did I do something wrong?
[monitor://F:\IBM\WebSphere\AppServer\profiles\RTCGW_Profile\logs]
recursive = true
sourcetype = STGWProfileLogs_system
index = euc_sametimedata
crcSalt = <SOURCE>
whitelist = SystemOut.log|SystemErr.log
Your path doesn't include any wildcards at all. Refer to http://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards for the correct use of ... and * wildcards.
You may be looking for something like this:
[monitor://F:\IBM\WebSphere\AppServer\profiles\RTCGW_Profile\logs\*]
To take everything you likely need to add a trailing backslash under Windows. ..._Profile\logs only looks for a file named logs if I remember correctly.
Thanks. Wildcare the monitored directories, or specific files that I want monitored, or both? In this case, I was assuming that it would take everything under my logs directory, and look for my whitelist.