I am not getting expected behavior when specifying inputs.
All my logs are in a folder called "/syslog/"
1.3M -rw-r--r-- 1 root root 1.3M Oct 22 09:42 cron
8.6M -rw-r--r-- 1 root root 8.6M Oct 21 17:26 cron.1413937561.gz
4.3M -rw-r--r-- 1 root root 4.2M Oct 22 09:42 maillog
1.2M -rw-r--r-- 1 root root 1.2M Oct 21 17:08 maillog.1413936480.gz
8.1M -rw-r--r-- 1 root root 8.1M Oct 22 09:42 messages
868K -rw-r--r-- 1 root root 866K Oct 22 04:59 messages.1413979164.gz
872K -rw-r--r-- 1 root root 869K Oct 22 06:40 messages.1413985201.gz
872K -rw-r--r-- 1 root root 871K Oct 22 08:20 messages.1413991204.gz
636K -rw-r--r-- 1 root root 632K Oct 22 09:42 secure
1.8M -rw-r--r-- 1 root root 1.8M Oct 21 17:07 secure.1413936453.gz
I have an input defined as:
[monitor:///syslog/messages*]
disabled = false
followTail = 0
host =
host_regex =
sourcetype = syslog
index = messages
I want all log files called "messages" or "messages..gz" to be indexed in the messages index. However currently all logs in the directory are being indexed in the messages index.
Do I need to only specify directories as inputs? I thought I could specify a file.
Edit -
I was using the splunk list monitor command, I see the problem sort of. one of my inputs is being treated as a directory and is matching this it seems like it shouldn't and the other inputs are seen as files and not matching even though they seem like they should.
Monitored Directories:
...
/syslog/secur*
/syslog/cron
/syslog/cron.1413937561.gz
/syslog/maillog
/syslog/maillog.1413936480.gz
/syslog/messages
/syslog/messages.1413936430.gz
/syslog/messages.1413942613.gz
/syslog/messages.1413948715.gz
/syslog/messages.1413954849.gz
/syslog/messages.1413960903.gz
/syslog/messages.1413967086.gz
/syslog/messages.1413973094.gz
/syslog/messages.1413979164.gz
/syslog/messages.1413985201.gz
/syslog/messages.1413991204.gz
/syslog/messages.1413997262.gz
/syslog/messages.1414003369.gz
/syslog/messages.1414009642.gz
/syslog/messages.1414015924.gz
/syslog/secure
/syslog/secure.1413936453.gz
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/syslog/boo*
/syslog/cro*
/syslog/maillo*
/syslog/message*
... View more