My Server monitors 4 0ut of 5
The one below does not get monitored:
C:\Windows\System32\LogFiles\HTTPERR\httperr1.log
inputs.conf referring to this instance:
[monitor://C:\Windows\System32\LogFiles\HTTPERR]
disabled = false
followTail = 0
host = iis.windowsservername
sourcetype = iis_error
blacklist = \.gz$
Thank you. dam spaces 🙂
thanks again for your response
There are lots of possible reasons for your events not being seen where you expect them.
Start here:
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata
http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs
Apart from that, it might be a good idea to see what the forwarder thinks it is doing with the file by querying this url;
https://your_forwarder:8089/services/admin/inputstatus/TailingProcessor:FileStatus
You might also want to investigate this setting in inputs.conf on the forwarder.
alwaysOpenFile = [0|1]
* Opens a file to check whether it has already been indexed.
* Only useful for files that do not update modtime.
* Only needed when monitoring files on Windows, mostly for IIS logs.
* This flag should only be used as a last resort, as it increases load and slows down indexing.
* Defaults to 0.
/K