My inputs.conf contains:
[monitor:///usr/local/ecc_to_splunk/pickup/*.sp.*]
disabled = false
followTail = 0
host =
host_regex = /usr/local/ecc_to_splunk/pickup/(\w+)
sourcetype = clariion_sp
/usr/local/ecc_to_splunk/pickup contains:
APM00083100781.sp.20101221
APM00083100781.sp.20101222
APM00083100781.sp.20101223
APM00084800327.sp.20101221
APM00084800327.sp.20101222
APM00084800327.sp.20101223
APM00094100281.sp.20101221
APM00094100281.sp.20101222
APM00094100281.sp.20101223
but I'm getting this in splunkd.log: INFO TailingProcessor - No configurations match, will ignore path='/usr/local/ecc_to_splunk/pickup/APM00084800327.sp.20101221'
It doesn't make a lot of sense as I have an almost identical monitor that's working fine - [monitor:///usr/local/ecc_to_splunk/pickup/*.disk.*]
Thanks in advance.
Silly troubleshooting tip here, but does the user that Splunk is running as have read permission for those files?
yes, splunk is running as root and the .sp files have identical permissions to the other files in the same dir that are getting picked up. thanks.