Indexing server.log and boot.log files using the following stanzas for both:
[monitor:///opt/directory/logs/servername/boot.log]
disabled = false
index = rate
sourcetype = serverlog
blacklist = .gz$
[monitor:///opt/directory/logs/servername/server.log]
disabled = false
index = rate
sourcetype = serverlog
blacklist = .gz$
The behavior is inconsistent where sometime both files are indexed and cases where only one file is. Is there a specific place (e.g. fishbucket) that I can search to see what got indexed or refused and why (any error messages)?
You can try looking at the status of the TailingProcessor which handles file monitor inputs.
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
Here's a Splunk Wiki page on troubleshooting monitor inputs.
https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs
Hope those help!
Reviewed status of the TailingProcessor on a few hosts and again, the behavior is inconsistent. On one host, the file was read but nothing shows up in the search head (within last 7 days). On another host, only one of the 2 stanzas was used for file comparison and indicated that there was no match so file was not read.