I have two monitor stanzas to watch nginx access logs: a specific stanza to route a team's error logs to their specific index, and another fallback stanza to catch any error logs not routed to a specific index:
$ splunk cmd btool inputs list
...
[monitor:///var/log/nginx/*batman*error.log]
_rcvbuf = 1572864
host = p2....00a
index = prod-batman
sourcetype = nginx-error
...
[monitor:///var/log/nginx/*error.log]
_rcvbuf = 1572864
host = p2....00a
index = prod-fallback
sourcetype = nginx-error
My intention is that the file /var/log/nginx/batman-service-a-error.log is routed to index prod-batman , while the file /var/log/nginx/other-team-service-a-error.log is routed to prod-fallback . But this is not happening. I see:
$ splunk list monitor
Monitored Directories:
...
/var/log/nginx/*error.log
/var/log/nginx/batman-service-a-error.log
/var/log/nginx/batman-service-b-error.log
/var/log/nginx/batman-service-c-error.log
Indeed, there is no entry for /var/log/nginx/*batman*error.log in the output of splunk list monitor . Is there any way to force the stanza [monitor:///var/log/nginx/*batman*error.log] to take precedence over [monitor:///var/log/nginx/*error.log] ?
... View more