I want to monitor the following
C:\Users\...\AppData\Local\Microsoft\Windows\Burn
sometimes with the Burn directory there will be other folders.
I want to monitor all the folders and files under the burn directory
The following does not appear to be working:
[monitor://C:\Users\...\AppData\Local\Microsoft\Windows\burn\]
sourcetype = WindowsBurnLog
disabled = 0
index=windows
Try adding "recursive = true" to the stanza. This should be the default, but worth a shot just in case.
Also, what exactly is not working? Do you only get files directly in the "burn" directory indexed? Do you get them from all users folders or just some?
You may also want to try using:
monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn...*
Nothing really. I even added a "*"
tailingProcessor - Parsing configuration stanza: monitor://C:\Users...\AppData\Local\Microsoft\Windows\burn*
Check splunkd.log to see what Splunk says about this input.