I have a very similar issues as MasterOogway mine is just on Windows. Running ver 4.1.6
I have a simple monitor set to watch for a specific file name with a regex to define the date stamped file. The file in question is named, /Logs/20110321/SERVER_APP_01_20110321_0001.txt
On my LWF I have the following simple inputs.conf definition:
F:\Program Files (x86)\App\App Server\Logs\...\*.txt.
From ../splunkd.log I get the following error:
DEBUG TailingProcessor - No configurations match, will ignore path='F:\Program Files (x86)\App\App Server\Logs\20110321\SERVER_APP_01_20110321_0001.txt
DEBUG TailingProcessor - Not using stanza for this item (Did not match whitelist '^F:\\Program Files (x86)\\App\\App Server\\Logs\\.*\\[^\\]*\.txt$'.).
My question is, "why does this not match?" It obviously finds the file based on the regex.
FULL STANZA
#Monitor App Server Logs
[monitor://F:\Program Files (x86)\App\App Server\Logs\...\*.txt]
sourcetype = APP
Looks like there is a problem with the wildcards ... and *.
Tried with a whitelist instead and it works.
[monitor://F:\Program Files (x86)\App\App Server\Logs] sourcetype = APP whitelist = *..txt$ recursive = true
Thank you Splunk support - Yann
Looks like there is a problem with the wildcards ... and *.
Tried with a whitelist instead and it works.
[monitor://F:\Program Files (x86)\App\App Server\Logs] sourcetype = APP whitelist = *..txt$ recursive = true
Thank you Splunk support - Yann
Interesting, it might be a bug. The regex contains (x86)
, and the parentheses there are only used to group, not to match. The correct matching regex would have \(x86\)
instead. That should have been generated correctly by Splunk from the monitor clause. I'm not sure of a good workaround.
see above for full stanza
I wouldn't expect crcSalt to do anything under these circumstances. This has to do with the whitelist not being matched, which isn't affected by the salt. Could you paste the entire monitor stanza into the description from your inputs.conf?
ohh, and I tried adding "crcSalt =