I had the stanza in inputs.conf in the universal forwarder as:
[monitor:///my/logs/project]
blacklist = .(gz)$
whitelist = (xyz_debug_ms[1-4]{1}.txt|app1_ms[1-4]{1}.txt|\
app2sos_ms[1-2]{1}.log|system_ms.log\
remoteserver.log)
sourcetype = mylogs
index = my index
After restart, the forwarder showed only a few files in "splunk list monitor" and only those files were sent to indexer for search. I then removed "\" and create two stanza, with same monitor:: line, with a few files in whitelist in the first stanza and the remaining in the second stanza.
After restart, the forwarder is not showing the files which it had shown earlier in the list monitor. how to ensure all the files can be monitored and send to indexer?
... View more