I need to monitor a single file that exists in multiple directories, which can change without my notice, but will follow the same format. I tried setting up a wildcard, but it's not working.
The directory structure is:
The filename is always gpws_error.log, and the filesystem will always begin with /pwstcdwlk, but the segment after log can change and be almost anything.
I had the following, but it did not work.
[monitor:///pwstcdwlk*/log/.../gpws_error.log] recursive = yes disabled = false followTail = false sourcetype = log4j index = throwaway
You mentioned a specific directory structure. Do you have multiple directory structures like that?
... -> is a recursive wildcard. What you have as of now should also work if there is something like pwstcdwlkABC,pwstcdwlk123 etc.
The ones that I want all begin with pwstcdwlk, but it can change after that - could be a 1, could be abc... - out of my control. I don't want to make it wide open, as other files could be grabbed.
Do you see any error in the logs. If thats the case then your stanza looks right to me. There is no data being indexed from the log file? How many lines does the log file have?
Lots of data available, with multiple logs. The splunkd.log isn't showing any errors - just this message: 03-06-2014 08:02:58.235 -0500 INFO TailingProcessor - Parsing configuration stanza: monitor:///pws*/log/.../gpws_error.log.
Here's some sampleoutput of an ls command:
-rw-rw-r-- 1 blahblah blahblah 165 Mar 5 08:15 /pwstcawlk3/log/PROCESSMONITOR/gpwserror.log
-rw-rw-r-- 1 blahblah blahblah 180874 Mar 5 10:22 /pwstcawlk2/log/HTTPCONTROLLERARCH/gpwserror.log
Those files (and others) are not being indexed. BTW - this is on AIX, if that matters.
FWIW, I also encountered this in 220.127.116.11 -- not sure if any other versions affected.
Did not work properly. Something about the wildcard at the base directory.
I had to use