Getting Data In

directory monitor not picking up file

dinisco
Explorer

My inputs.conf contains:

[monitor:///usr/local/ecc_to_splunk/pickup/*.sp.*]
disabled = false
followTail = 0
host =
host_regex = /usr/local/ecc_to_splunk/pickup/(\w+)
sourcetype = clariion_sp

/usr/local/ecc_to_splunk/pickup contains:
APM00083100781.sp.20101221
APM00083100781.sp.20101222
APM00083100781.sp.20101223
APM00084800327.sp.20101221
APM00084800327.sp.20101222
APM00084800327.sp.20101223
APM00094100281.sp.20101221
APM00094100281.sp.20101222
APM00094100281.sp.20101223

but I'm getting this in splunkd.log: INFO TailingProcessor - No configurations match, will ignore path='/usr/local/ecc_to_splunk/pickup/APM00084800327.sp.20101221'

It doesn't make a lot of sense as I have an almost identical monitor that's working fine - [monitor:///usr/local/ecc_to_splunk/pickup/*.disk.*]

Thanks in advance.

0 Karma

bfaber
Communicator

Silly troubleshooting tip here, but does the user that Splunk is running as have read permission for those files?

0 Karma

dinisco
Explorer

yes, splunk is running as root and the .sp files have identical permissions to the other files in the same dir that are getting picked up. thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...