We are using SplunkUniversalForwarder 4.2.3 x64 to forward some logs. inputs.conf has the following stanzas
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs\CustomMSTRLog*]
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =
[WinEventLog:Application]
disabled = 0
[WinEventLog:System]
disabled = 0
Eventlogs are getting forwarded without any issues but the apache logs are not. I am not seeing any errors in splunkd.log on the forwarder.
I was able to resolve the issue using a whitelist. I think the wild card does not work because (x86) in the path.
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs]
whitelist = Custom[^/]*.log$
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =
I was able to resolve the issue using a whitelist. I think the wild card does not work because (x86) in the path.
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs]
whitelist = Custom[^/]*.log$
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =
Hi anaptshah
there are many things, that could prevent a file from being read by the universal forwarder:
splunkd.exe list monitor
show your stanza with the correct path?hope this helps a bit and you get it fixed.
cheers
I uploaded the incorrect stanza, the stanza thats not working is as follows
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs\CustomMSTRLog*]
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =
splunkd.exe list monitor shows the directory but does not show any of the files. Is there something special about (x86)? The stanza on the original post works fine.