I'm trying to monitor the xml files that define a Solaris service. These files live under /var/svc/manifest/.../*.xml.
/var/svc/manifest/application/stosreg.xml
/var/svc/manifest/application/management/wbem.xml
/var/svc/manifest/network/rpc/rstat.xml
/var/svc/manifest/network/rpc/bind.xml
/var/svc/manifest/network/rpc/wall.xml
/var/svc/manifest/platform/sun4u/oplhpd.xml
/var/svc/manifest/milestone/multi-user.xml
/var/svc/manifest/system/console-login.xml
/var/svc/manifest/system/mdmonitor.xml
I have the following defined in my inputs.conf:
[filter:whitelist:xml_files]
regex1 = \.xml$
[filter:blacklist:terminal-blacklist]
regex1 = .?
[fschange:/var/svc/manifest]
sourcetype = solaris_etc
index = fileint
filters = xml_files, terminal-blacklist
disabled = false
recurse = true
pollPeriod = 300
fullEvent = true
sendEventMaxSize = -1
I'm using the whitelist regex for another fschange and it does match the xml files. The problem I'm having is that when recurse=true it doesn't appear to match anymore. I've tried variations such as .*\/.*\.xml , etc and nothing seems to help.
According to this page in the docs: http://www.splunk.com/base/Documentation/4.1.4/Admin/Monitorchangestoyourfilesystem it should be working.
Any help is greatly appreciated.
Jon
... View more