I've set up a heavy forwarder on "stage2" (linux machine) and a central Splunk instance on "stage1" (another linux machine). I'm trying to monitor the following folder on stage2:
/x/web/stage2/logs/
and I want to pick up the following files:
ALERT.log.15-08-01.log
ALERT.log.15-08-06.log
ALERT.log.15-08-07.log
ALERT.log.15-08-08.log
ALERT.log.15-08-09.log
ALERT.log.15-08-10.log
ALERT.log.15-08-11.log
ALERT.log.15-08-12.log
ALERT.log.15-08-13.log
ALERT.log.15-08-14.log
ALERT.log.15-08-15.log
ALERT.log.15-08-16.log
ALERT.log.15-08-17.log
ALERT.log.15-08-18.log
ALERT.log.15-08-19.log
ALERT.log.15-08-20.log
ALERT.log.15-08-21.log
ALERT.log.15-08-22.log
ALERT.log.15-08-23.log
ALERT.log.15-08-24.log
ALERT.log
It is important that the rollover/historical logs get picked up. (FYI I had no say in the naming convention used for them)
Steps I took:
Monitoring /x/web/stage2/logs/ with the whitelist /ALERT.*/g . This brings only the ALERT.log to stage1
Maybe my regex was bad, so I purged all stage2 logs from stage1, and delete the monitoring rule on stage2. Starting over.
Monitoring /x/web/stage2/logs/ with no whitelist defined. Restart stage2. Restart stage1 for good measure. Again, this brings only the ALERT.log to stage1.
Purged all stage2 logs from stage1, and delete the monitoring rule on stage2. Starting again.
Monitoring /x/web/stage2/logs/ with the most generous regex defined as the whitelist. Restart stage2, then stage1. Same result.
On stage2, under Settings -> Data Inputs -> Files & Directories, the monitoring rule shows a high enough number to where I believe stage2 is monitoring all the files I want it to, but only the one ALERT.log file makes it to stage1.
Is there something that prevents Splunk from picking up logs named a certain way? Anyone with any ideas about what might be going on here?
... View more