Only the first Stanza works, when I comment out one of them, it works fine, but no matter what happens, I cant get them both to work...
Only highlighted logs are forwarded.
# logs1
[monitor:///home/mmm/logs/mmm.log*]
sourcetype = Core
index = CoreLog
_TCP_ROUTING = umm
#recursive = false
#whitelist = mmm\.log(\.1)?
# logs2
[monitor:///home/mmm/logs/mmm/smmm.log*]
sourcetype = CoreSMS
index = CoreLog
_TCP_ROUTING = umm
whitelist = smmm\.log(\.\d+\-\d+\-\d+)?
Have you tried like this:
# logs1
[monitor:///home/mmm/logs/mmm.log*]
sourcetype = Core
index = CoreLog
_TCP_ROUTING = umm
recursive = false
# logs2
[monitor:///home/mmm/logs/mmm/smmm.log*]
sourcetype = CoreSMS
index = CoreLog
_TCP_ROUTING = umm
recursive = false
Also, does your SUF shows any error message in the logs?
Yeah, it might be a bug actually. Have a look on this post:
Sorry, I have tried the above on multiple instances, but the same issue remains....
Could this be due to the fact that #log2 stanza is pointing at a Sub directory as opposed to the #log1 stanza which is one directory above it??
Splunk Universal Forwarder. I imagine tei config you pasted there in not from the inputs.conf on the Splunk Server but from some other box running a forwarder (splunk agent)
Whats a SUF?