awesome, thanks so much for this reply (and that you came back and posted the post-fix'd solution). Was having this exact same issue with splunk UF monitoring some log files (and to debug i was searching the last 4 hours on my indexer to see when/if i had fixed inputs.conf on the uf . was also monitoring splunkd.log on the uf - but I couldnt fix it!) This was the issue, splunk UF couldn't read the timestamp of the log files it was monitoring properly, so the files were being sent but in the past!. (so my fix, was the same as yours, in that i made a custom sourcetype with timestamp="current time" on the main splunk indexer (web gui), and then on the UF input.conf set the stanza for monitor://c:/blah/file.log.* to use that custom sourcetype) thanks again!
... View more